From 4d94f2aea9812ef311696e8c09c8f717d1a44514 Mon Sep 17 00:00:00 2001 From: Bryan Killian Date: Thu, 13 Apr 2023 03:27:06 -0400 Subject: updating network name to reflect new limitation from 11 to 9 --- docs/configuration/container/index.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index c23a6184..0487f863 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -182,11 +182,11 @@ Example Configuration .. code-block:: none - set container network zabbix-net prefix 172.20.0.0/16 - set container network zabbix-net description 'Network for Zabbix component containers' + set container network zabbix prefix 172.20.0.0/16 + set container network zabbix description 'Network for Zabbix component containers' set container name mysql-server image mysql:8.0 - set container name mysql-server network zabbix-net + set container name mysql-server network zabbix set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix' set container name mysql-server environment 'MYSQL_USER' value 'zabbix' @@ -194,10 +194,10 @@ Example Configuration set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' set container name zabbix-java-gateway image zabbix/zabbix-java-gateway:alpine-5.2-latest - set container name zabbix-java-gateway network zabbix-net + set container name zabbix-java-gateway network zabbix set container name zabbix-server-mysql image zabbix/zabbix-server-mysql:alpine-5.2-latest - set container name zabbix-server-mysql network zabbix-net + set container name zabbix-server-mysql network zabbix set container name zabbix-server-mysql environment 'DB_SERVER_HOST' value 'mysql-server' set container name zabbix-server-mysql environment 'MYSQL_DATABASE' value 'zabbix' @@ -210,7 +210,7 @@ Example Configuration set container name zabbix-server-mysql port zabbix destination 10051 set container name zabbix-web-nginx-mysql image zabbix/zabbix-web-nginx-mysql:alpine-5.2-latest - set container name zabbix-web-nginx-mysql network zabbix-net + set container name zabbix-web-nginx-mysql network zabbix set container name zabbix-web-nginx-mysql environment 'MYSQL_DATABASE' value 'zabbix' set container name zabbix-web-nginx-mysql environment 'ZBX_SERVER_HOST' value 'zabbix-server-mysql' -- cgit v1.2.3 From 0ed155b05523c755a9eb777c49a3a0fd4b56149e Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 25 Dec 2023 09:14:05 +0100 Subject: snmp: T5855: migrate "set service lldp snmp enable" to "set service lldp snmp" --- docs/configuration/service/lldp.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/configuration') diff --git a/docs/configuration/service/lldp.rst b/docs/configuration/service/lldp.rst index aa357211..12a9e0b6 100644 --- a/docs/configuration/service/lldp.rst +++ b/docs/configuration/service/lldp.rst @@ -54,7 +54,7 @@ Configuration Disable transmit of LLDP frames on given ``. Useful to exclude certain interfaces from LLDP when ``all`` have been enabled. -.. cfgcmd:: set service lldp snmp enable +.. cfgcmd:: set service lldp snmp Enable SNMP queries of the LLDP database -- cgit v1.2.3 From fd3073eef7bcbd64112e0581ba10afb58100b30d Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Mon, 25 Dec 2023 17:23:32 +0200 Subject: Add system update-check example Add an example of online checking for updates ``` set system update-check auto-check set system update-check url ``` --- docs/configuration/system/index.rst | 1 + docs/configuration/system/updates.rst | 37 +++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 docs/configuration/system/updates.rst (limited to 'docs/configuration') diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index bfda7747..dbb63d09 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -25,6 +25,7 @@ System sysctl task-scheduler time-zone + updates .. toctree:: diff --git a/docs/configuration/system/updates.rst b/docs/configuration/system/updates.rst new file mode 100644 index 00000000..a55bfa9a --- /dev/null +++ b/docs/configuration/system/updates.rst @@ -0,0 +1,37 @@ +####### +Updates +####### + +VyOS supports online checking for updates + +Configuration +============= + +.. cfgcmd:: set system update-check auto-check + + Configure auto-checking for new images + + +.. cfgcmd:: set system update-check url + + Configure a URL that contains information about images. + + +Example +======= + +.. code-block:: none + + set system update-check auto-check + set system update-check url 'https://raw.githubusercontent.com/vyos/vyos-rolling-nightly-builds/main/version.json' + +Check: + +.. code-block:: none + + vyos@r4:~$ show system updates + Current version: 1.5-rolling-202312220023 + + Update available: 1.5-rolling-202312250024 + Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso + vyos@r4:~$ -- cgit v1.2.3 From 0c5e77aea59cbb50af527c59770584d232c97f52 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 26 Dec 2023 08:55:02 -0300 Subject: Add configuration commands and brief example of firewall Flowtables. Also re-add commands for firewall state policies, which now can eb found under section --- docs/configuration/firewall/flowtables.rst | 140 ++++++++++++++++++++++++- docs/configuration/firewall/global-options.rst | 34 +++++- 2 files changed, 170 insertions(+), 4 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst index 8b44a9b9..bc7b9212 100644 --- a/docs/configuration/firewall/flowtables.rst +++ b/docs/configuration/firewall/flowtables.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2023-12-26 .. _firewall-flowtables-configuration: @@ -13,7 +13,7 @@ Overview ******** In this section there's useful information of all firewall configuration that -can be done regarding flowtables +can be done regarding flowtables. .. cfgcmd:: set firewall flowtables ... @@ -50,3 +50,139 @@ flowtable (flowtable miss), the packet follows the classic IP forwarding path. .. note:: **Flowtable Reference:** https://docs.kernel.org/networking/nf_flowtable.html + + +*********************** +Flowtable Configuration +*********************** + +In order to use flowtables, the minimal configuration needed includes: + + * Create flowtable: create flowtable, which includes the interfaces + that are going to be used by the flowtable. + + * Create firewall rule: create a firewall rule, setting action to + ``offload`` and using desired flowtable for ``offload-target``. + +Creating a flow table: + +.. cfgcmd:: set firewall flowtable interface + + Define interfaces to be used in the flowtable. + +.. cfgcmd:: set firewall flowtable description + +Provide a description to the flow table. + +.. cfgcmd:: set firewall flowtable offload + + + Define type of offload to be used by the flowtable: ``hardware`` or + ``software``. By default, ``software`` offload is used. + +.. note:: **Hardware offload:** should be supported by the NICs used. + +Creating rules for using flow tables: + +.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> + action offload + + Create firewall rule in forward chain, and set action to ``offload``. + +.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> + offload-target + + Create firewall rule in forward chain, and define which flowtbale + should be used. Only applicable if action is ``offload``. + +********************* +Configuration Example +********************* + +Things to be considred in this setup: + + * Two interfaces are going to be used in the flowtables: eth0 and eth1 + + * Minumum firewall ruleset is provided, which includes some filtering rules, + and appropiate rules for using flowtable offload capabilities. + +As described, first packet will be evaluated by all the firewall path, so +desired connection should be explicitely accepted. Same thing should be taken +into account for traffic in reverse order. In most cases state policies are +used in order to accept connection in reverse patch. + +We will only accept traffic comming from interface eth0, protocol tcp and +destination port 1122. All other traffic traspassing the router should be +blocked. + +Commands +-------- + +.. code-block:: none + + set firewall flowtable FT01 interface 'eth0' + set firewall flowtable FT01 interface 'eth1' + set firewall ipv4 forward filter default-action 'drop' + set firewall ipv4 forward filter rule 10 action 'offload' + set firewall ipv4 forward filter rule 10 offload-target 'FT01' + set firewall ipv4 forward filter rule 10 state 'established' + set firewall ipv4 forward filter rule 10 state 'related' + set firewall ipv4 forward filter rule 20 action 'accept' + set firewall ipv4 forward filter rule 20 state 'established' + set firewall ipv4 forward filter rule 20 state 'related' + set firewall ipv4 forward filter rule 110 action 'accept' + set firewall ipv4 forward filter rule 110 destination address '192.0.2.100' + set firewall ipv4 forward filter rule 110 destination port '1122' + set firewall ipv4 forward filter rule 110 inbound-interface name 'eth0' + set firewall ipv4 forward filter rule 110 protocol 'tcp' + +Explanation +----------- + +Analysis on what happens for desired connection: + + 1. First packet is received on eht0, with destination address 192.0.2.100, + protocol tcp and destination port 1122. Assume such destination address is + reachable through interface eth1. + + 2. Since this is the first packet, connection status of this connection, + so far is **new**. So neither rule 10 nor 20 are valid. + + 3. Rule 110 is hit, so connection is accepted. + + 4. Once answer from server 192.0.2.100 is seen in opposite direction, + connection state will be triggered to **established**, so this reply is + accepted in rule 10. + + 5. Second packet for this connection is received by the router. Since + connection state is **established**, then rule 10 is hit, and a new entry + in the flowtable FT01 is added for this connection. + + 6. All subsecuent packets will skip traditional path, and will be offloaded + and will use the **Fast Path**. + +Checks +------ + +It's time to check conntrack table, to see if any connection was accepted, +and if was properly offloaded + +.. code-block:: none + + vyos@FlowTables:~$ show firewall ipv4 forward filter + Ruleset Information + + --------------------------------- + ipv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------------------------------- + 10 offload all 8 468 ct state { established, related } flow add @VYOS_FLOWTABLE_FT01 + 20 accept all 8 468 ct state { established, related } accept + 110 accept tcp 2 120 ip daddr 192.0.2.100 tcp dport 1122 iifname "eth0" accept + default drop all 7 420 + + vyos@FlowTables:~$ sudo conntrack -L | grep tcp + conntrack v1.4.6 (conntrack-tools): 5 flow entries have been shown. + tcp 6 src=198.51.100.100 dst=192.0.2.100 sport=41676 dport=1122 src=192.0.2.100 dst=198.51.100.100 sport=1122 dport=41676 [OFFLOAD] mark=0 use=2 + vyos@FlowTables:~$ diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index 316e0802..455e530b 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-07 +:lastproofread: 2023-12-026 .. _firewall-global-options-configuration: @@ -114,4 +114,34 @@ Configuration Enable or Disable VyOS to be :rfc:`1337` conform. The following system parameter will be altered: - * ``net.ipv4.tcp_rfc1337`` \ No newline at end of file + * ``net.ipv4.tcp_rfc1337`` + +.. cfgcmd:: set firewall global-options state-policy established action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy established log + +.. cfgcmd:: set firewall global-options state-policy established log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for an established connection. + +.. cfgcmd:: set firewall global-options state-policy invalid action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy invalid log + +.. cfgcmd:: set firewall global-options state-policy invalid log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for invalid packets. + +.. cfgcmd:: set firewall global-options state-policy related action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy related log + +.. cfgcmd:: set firewall global-options state-policy related log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for related connections. -- cgit v1.2.3 From 0893ca769b1796d2d61dc26a0c0c13d1eda56f5e Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 27 Dec 2023 06:52:57 -0300 Subject: dhcp-server: update docs for op-mode command --- docs/configuration/firewall/global-options.rst | 2 +- docs/configuration/service/dhcp-server.rst | 34 ++++++++++++++++++++++---- 2 files changed, 30 insertions(+), 6 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index 455e530b..b3f311aa 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-12-026 +:lastproofread: 2023-12-26 .. _firewall-global-options-configuration: diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index b5b12a5b..0cc10feb 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -549,18 +549,43 @@ Operation Mode .. code-block:: none vyos@vyos:~$ show dhcp server leases - IP address Hardware address State Lease start Lease expiration Remaining Pool Hostname - -------------- ------------------ ------- ------------------- ------------------- ---------- ----------- --------- - 192.0.2.104 00:53:01:dd:ee:ff active 2019/12/05 14:24:23 2019/12/06 02:24:23 6:05:35 dhcpexample test1 - 192.0.2.115 00:53:01:ae:af:bf active 2019/12/05 18:02:37 2019/12/06 06:02:37 9:43:49 dhcpexample test2 + IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin + -------------- ----------------- ------- ------------------- ------------------- ----------- -------- ---------- -------- + 192.168.11.134 00:50:79:66:68:09 active 2023/11/29 09:51:05 2023/11/29 10:21:05 0:24:10 LAN VPCS1 local + 192.168.11.133 50:00:00:06:00:00 active 2023/11/29 09:51:38 2023/11/29 10:21:38 0:24:43 LAN VYOS-6 local + 10.11.11.108 50:00:00:05:00:00 active 2023/11/29 09:51:43 2023/11/29 10:21:43 0:24:48 VIF-1001 VYOS5 local + 192.168.11.135 00:50:79:66:68:07 active 2023/11/29 09:55:16 2023/11/29 09:59:16 0:02:21 remote + vyos@vyos:~$ .. hint:: Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``. +.. opcmd:: show dhcp server leases origin [local | remote] + + Show statuses of all active leases granted by local (this server) or + remote (failover server): + +.. code-block:: none + + vyos@vyos:~$ show dhcp server leases origin remote + IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin + -------------- ----------------- ------- ------------------- ------------------- ----------- -------- ---------- -------- + 192.168.11.135 00:50:79:66:68:07 active 2023/11/29 09:55:16 2023/11/29 09:59:16 0:02:21 remote + vyos@vyos:~$ + .. opcmd:: show dhcp server leases pool Show only leases in the specified pool. +.. code-block:: none + + vyos@vyos:~$ show dhcp server leases pool LAN + IP Address MAC address State Lease start Lease expiration Remaining Pool Hostname Origin + -------------- ----------------- ------- ------------------- ------------------- ----------- ------ ---------- -------- + 192.168.11.134 00:50:79:66:68:09 active 2023/11/29 09:51:05 2023/11/29 10:21:05 0:23:55 LAN VPCS1 local + 192.168.11.133 50:00:00:06:00:00 active 2023/11/29 09:51:38 2023/11/29 10:21:38 0:24:28 LAN VYOS-6 local + vyos@vyos:~$ + .. opcmd:: show dhcp server leases sort Sort the output by the specified key. Possible keys: ip, hardware_address, @@ -572,7 +597,6 @@ Operation Mode free, expired, released, abandoned, reset, backup (default = active) - *********** IPv6 server *********** -- cgit v1.2.3 From 3c4d9ec2e93740eb9bd398736b228af356d2b2a8 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 27 Dec 2023 07:45:07 -0300 Subject: System Conntrack: update commands for timeout rules; update commands for ignore rules, since both ipv4 and ipv6 rules are supported. --- docs/configuration/system/conntrack.rst | 149 ++++++++++++++++++++------------ 1 file changed, 93 insertions(+), 56 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst index 68a4f2b8..6ed5fef7 100644 --- a/docs/configuration/system/conntrack.rst +++ b/docs/configuration/system/conntrack.rst @@ -46,9 +46,23 @@ Configure | Use `delete system conntrack modules` to deactive all modules. | Or, for example ftp, `delete system conntrack modules ftp`. +.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836> + :defaultvalue: -Define Conection Timeouts -========================= + Set the maximum number of TCP half-open connections. + +.. cfgcmd:: set system conntrack tcp loose + :defaultvalue: + + Policy to track previously established connections. + +.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647> + :defaultvalue: + + Set the number of TCP maximum retransmit attempts. + +Contrack Timeouts +================= VyOS supports setting timeouts for connections according to the connection type. You can set timeout values for generic connections, for ICMP @@ -82,34 +96,48 @@ states. Set the timeout in secounds for a protocol or state. - You can also define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector. -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> description +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + description Set a rule description. +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + destination address +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + source address -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address - - set a destination and/or source address. Accepted input: + Set a destination and/or source address. Accepted input for ipv4: .. code-block:: none - IP address to match - Subnet to match - - - IP range to match - ! Match everything except the specified address - ! Match everything except the specified subnet - !- - Match everything except the specified range - -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port + set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address + Possible completions: + IPv4 address to match + IPv4 prefix to match + - IPv4 address range to match + ! Match everything except the specified address + ! Match everything except the specified prefix + !- Match everything except the specified range + + set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address + Possible completions: + IP address to match + Subnet to match + - + IP range to match + ! Match everything except the specified address + ! Match everything except the specified prefix + !- + Match everything except the specified range + +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + destination port +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + source port Set a destination and/or source port. Accepted input: @@ -123,49 +151,58 @@ create a rule defining the packet and flow selector. The whole list can also be "negated" using '!'. For example: `!22,telnet,http,123,1001-1005`` - - -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836> -.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp close <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp close-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp established <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp fin-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp last-ack <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp syn-recv <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp syn-sent <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol tcp time-wait <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol udp replied <1-21474836> +.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999> + protocol udp unreplied <1-21474836> Set the timeout in secounds for a protocol or state in a custom rule. - -.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836> - :defaultvalue: - - Set the maximum number of TCP half-open connections. - -.. cfgcmd:: set system conntrack tcp loose - :defaultvalue: - - Policy to track previously established connections. - -.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647> - :defaultvalue: - - Set the number of TCP maximum retransmit attempts. - -.. cfgcmd:: set system conntrack ignore rule <1-9999> description -.. cfgcmd:: set system conntrack ignore rule <1-9999> destination address -.. cfgcmd:: set system conntrack ignore rule <1-9999> destination port -.. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface -.. cfgcmd:: set system conntrack ignore rule <1-9999> protocol -.. cfgcmd:: set system conntrack ignore rule <1-9999> source address -.. cfgcmd:: set system conntrack ignore rule <1-9999> source port +Conntrack ignore rules +====================== Customized ignore rules, based on a packet and flow selector. +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + description +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + destination address +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + destination port +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + inbound-interface +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + protocol +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + source address +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + source port +.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> + tcp flags [not] + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + +Conntrack log +============= + .. cfgcmd:: set system conntrack log icmp destroy .. cfgcmd:: set system conntrack log icmp new .. cfgcmd:: set system conntrack log icmp update -- cgit v1.2.3 From 5933ffbe44c626b77c93af68e18123a66dd12b63 Mon Sep 17 00:00:00 2001 From: fett0 Date: Wed, 27 Dec 2023 16:37:24 -0300 Subject: ocserv: add http-security-headers documentation --- docs/configuration/vpn/openconnect.rst | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 1cc197e9..845d9196 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -165,6 +165,13 @@ Simple setup with one user added and password authentication: set vpn openconnect ssl ca-certificate 'ca-ocserv' set vpn openconnect ssl certificate 'srv-ocserv' +To enable the HTTP security headers in the configuration file, use the command: + +.. code-block:: none + + set vpn openconnect http-security-headers + + Adding a 2FA with an OTP-key ============================ -- cgit v1.2.3 From 05215848a5df37a4cc4075a58b05f19871a56306 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 30 Dec 2023 10:44:58 +0100 Subject: system: T5877: Shorten system domain-search config path Documentation pdate for https://github.com/vyos/vyos-1x/pull/2718 --- docs/configuration/system/name-server.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/system/name-server.rst b/docs/configuration/system/name-server.rst index f18cb5a3..5d08dbc5 100644 --- a/docs/configuration/system/name-server.rst +++ b/docs/configuration/system/name-server.rst @@ -48,7 +48,7 @@ In order for the system to use and complete unqualified host names, a list can be defined which will be used for domain searches. -.. cfgcmd:: set system domain-search domain +.. cfgcmd:: set system domain-search Use this command to define domains, one at a time, so that the system uses them to complete unqualified host names. Maximum: 6 entries. @@ -68,7 +68,7 @@ order: vyos.io (first), vyos.net (second) and vyos.network (last): .. code-block:: none - set system domain-search domain vyos.io - set system domain-search domain vyos.net - set system domain-search domain vyos.network + set system domain-search vyos.io + set system domain-search vyos.net + set system domain-search vyos.network -- cgit v1.2.3 From e39d7d8990dd0f107b328258ecf67e3e4a1b179e Mon Sep 17 00:00:00 2001 From: Giggum <152240782+Giggum@users.noreply.github.com> Date: Fri, 5 Jan 2024 00:29:03 -0500 Subject: docs: fix to improve readability and correct typos. --- docs/configuration/firewall/index.rst | 40 +++++++++++++++++------------------ 1 file changed, 20 insertions(+), 20 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 3887e26a..bdfc2069 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -5,30 +5,30 @@ Firewall ######## With VyOS being based on top of Linux and its kernel, the Netfilter project -created the iptables and now the successor nftables for the Linux kernel to +created iptables and its successor nftables for the Linux kernel to work directly on the data flows. This now extends the concept of zone-based security to allow for manipulating the data at multiple stages once accepted by the network interface and the driver before being handed off to the -destination (e.g. a web server OR another device). +destination (e.g., a web server OR another device). -A simplified traffic flow, based on Netfilter packet flow, is shown next, in +A simplified traffic flow diagram, based on Netfilter packet flow, is shown next, in order to have a full view and understanding of how packets are processed, and -what possible paths can take. +what possible paths traffic can take. .. figure:: /_static/images/firewall-gral-packet-flow.png -Main notes regarding this packet flow and terminology used in VyOS firewall: +Main points regarding this packet flow and terminology used in VyOS firewall are below: - * **Bridge Port?**: choose appropiate path based on if interface were the + * **Bridge Port?**: choose appropriate path based on whether interface where the packet was received is part of a bridge, or not. -If interface were the packet was received isn't part of a bridge, then packet +If interface where the packet was received isn't part of a bridge, then packet is processed at the **IP Layer**: * **Prerouting**: several actions can be done in this stage, and currently - these actions are defined in different parts in vyos configuration. Order + these actions are defined in different parts in VyOS configuration. Order is important, and all these actions are performed before any actions - define under ``firewall`` section. Relevant configuration that acts in + defined under ``firewall`` section. Relevant configuration that acts in this stage are: * **Conntrack Ignore**: rules defined under ``set system conntrack ignore @@ -40,12 +40,12 @@ is processed at the **IP Layer**: * **Destination NAT**: rules defined under ``set [nat | nat66] destination...``. - * **Destination is the router?**: choose appropiate path based on - destination IP address. Transit forward continunes to **forward**, + * **Destination is the router?**: choose appropriate path based on + destination IP address. Transit forward continues to **forward**, while traffic that destination IP address is configured on the router continues to **input**. - * **Input**: stage where traffic destinated to the router itself can be + * **Input**: stage where traffic destined for the router itself can be filtered and controlled. This is where all rules for securing the router should take place. This includes ipv4 and ipv6 filtering rules, defined in: @@ -61,10 +61,10 @@ is processed at the **IP Layer**: * ``set firewall ipv6 forward filter ...``. - * **Output**: stage where traffic that is originated by the router itself - can be filtered and controlled. Bare in mind that this traffic can be a - new connection originted by a internal process running on VyOS router, - such as NTP, or can be a response to traffic received externaly through + * **Output**: stage where traffic that originates from the router itself + can be filtered and controlled. Bear in mind that this traffic can be a + new connection originated by a internal process running on VyOS router, + such as NTP, or a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in: @@ -79,11 +79,11 @@ is processed at the **IP Layer**: * **Source NAT**: rules defined under ``set [nat | nat66] destination...``. -If interface were the packet was received is part of a bridge, then packet -is processed at the **Bridge Layer**, which contains a ver basic setup where -for bridge filtering: +If interface where the packet was received is part of a bridge, then packet +is processed at the **Bridge Layer**, which contains a basic setup for +bridge filtering: - * **Forward (Bridge)**: stage where traffic that is trasspasing through the + * **Forward (Bridge)**: stage where traffic that is trespasing through the bridge is filtered and controlled: * ``set firewall bridge forward filter ...``. -- cgit v1.2.3 From 59ed69455cea99d5d905ffdef51690eb85de5e13 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Wed, 3 Jan 2024 13:42:54 +0200 Subject: updates: add system image latest If we configure "update-check url" we can use `latest` option to update system image. ``` add system image latest ``` --- docs/configuration/system/updates.rst | 2 ++ docs/installation/update.rst | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'docs/configuration') diff --git a/docs/configuration/system/updates.rst b/docs/configuration/system/updates.rst index a55bfa9a..505d9318 100644 --- a/docs/configuration/system/updates.rst +++ b/docs/configuration/system/updates.rst @@ -35,3 +35,5 @@ Check: Update available: 1.5-rolling-202312250024 Update URL: https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312250024/1.5-rolling-202312250024-amd64.iso vyos@r4:~$ + + vyos@r4:~$ add system image latest diff --git a/docs/installation/update.rst b/docs/installation/update.rst index 5f75f9db..b0b43836 100644 --- a/docs/installation/update.rst +++ b/docs/installation/update.rst @@ -10,7 +10,7 @@ for the new image to boot using the current configuration. .. note:: Only LTS releases are PGP-signed. -.. opcmd:: add system image [vrf name] +.. opcmd:: add system image | [latest] [vrf name] [username user [password pass]] Use this command to install a new system image. You can reach the @@ -72,6 +72,13 @@ Example OK. This image will be named: vyos-1.3-rolling-201912201452 +You can use ``latest`` option. It loads the latest available Rolling release. + +.. code-block:: none + + vyos@vyos:~$ add system image latest + +.. note:: To use the `latest` option the "system update-check url" must be configured. .. hint:: The most up-do-date Rolling Release for AMD64 can be accessed using the following URL: -- cgit v1.2.3 From 8e2932ebb426534b6727836c51395077ed8ed490 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 5 Jan 2024 22:55:37 +0100 Subject: pki: T5886: add support for ACME protocol (LetsEncrypt) --- docs/configuration/pki/index.rst | 44 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) (limited to 'docs/configuration') diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index 66ad84a3..1fea13ac 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-09-01 +:lastproofread: 2024-01-05 .. include:: /_include/need_improvement.txt @@ -248,6 +248,44 @@ certificates used by services on this router. If CA is present, this certificate will be included in generated CRLs +ACME +^^^^ + +The VyOS PKI subsystem can also be used to automatically retrieve Certificates +using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol. + +.. cfgcmd:: set pki certificate acme domain-name + + Domain names to apply, multiple domain-names can be specified. + + This is a mandatory option + +.. cfgcmd:: set pki certificate acme email
+ + Email used for registration and recovery contact. + + This is a mandatory option + +.. cfgcmd:: set pki certificate acme listen-address
+ + The address the server listens to during http-01 challenge + +.. cfgcmd:: set pki certificate acme rsa-key-size <2048 | 3072 | 4096> + + Size of the RSA key. + + This options defaults to 2048 + +.. cfgcmd:: set pki certificate acme url + + ACME Directory Resource URI. + + This defaults to https://acme-v02.api.letsencrypt.org/directory + + .. note:: During initial deployment we recommend using the staging API + of LetsEncrypt to prevent and blacklisting of your system. The API + endpoint is https://acme-staging-v02.api.letsencrypt.org/directory + Operation ========= @@ -292,3 +330,7 @@ also to display them. .. opcmd:: show pki crl Show a list of installed :abbr:`CRLs (Certificate Revocation List)`. + +.. opcmd:: renew certbot + + Manually trigger certificate renewal. This will be done twice a day. -- cgit v1.2.3 From 7132481c92e169348ac3f6750be8ce45c2f2b5dd Mon Sep 17 00:00:00 2001 From: Giggum <152240782+Giggum@users.noreply.github.com> Date: Fri, 5 Jan 2024 22:40:42 -0500 Subject: fix to add more fixes on top of previous pull request --- docs/configuration/firewall/index.rst | 35 +++---- docs/configuration/firewall/index.rst~ | 179 +++++++++++++++++++++++++++++++++ 2 files changed, 197 insertions(+), 17 deletions(-) create mode 100644 docs/configuration/firewall/index.rst~ (limited to 'docs/configuration') diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index bdfc2069..74d5bc20 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -4,26 +4,27 @@ Firewall ######## -With VyOS being based on top of Linux and its kernel, the Netfilter project +As VyOS is based on Linux it leverages its firewall. The Netfilter project created iptables and its successor nftables for the Linux kernel to -work directly on the data flows. This now extends the concept of zone-based -security to allow for manipulating the data at multiple stages once accepted -by the network interface and the driver before being handed off to the -destination (e.g., a web server OR another device). +work directly on packet data flows. This now extends the concept of +zone-based security to allow for manipulating the data at multiple stages once +accepted by the network interface and the driver before being handed off to +the destination (e.g., a web server OR another device). -A simplified traffic flow diagram, based on Netfilter packet flow, is shown next, in -order to have a full view and understanding of how packets are processed, and -what possible paths traffic can take. +A simplified traffic flow diagram, based on Netfilter packet flow, is shown +next, in order to have a full view and understanding of how packets are +processed, and what possible paths traffic can take. .. figure:: /_static/images/firewall-gral-packet-flow.png -Main points regarding this packet flow and terminology used in VyOS firewall are below: +The main points regarding this packet flow and terminology used in VyOS +firewall are covered below: - * **Bridge Port?**: choose appropriate path based on whether interface where the - packet was received is part of a bridge, or not. + * **Bridge Port?**: choose appropriate path based on whether interface + where the packet was received is part of a bridge, or not. -If interface where the packet was received isn't part of a bridge, then packet -is processed at the **IP Layer**: +If the interface where the packet was received isn't part of a bridge, then +packetis processed at the **IP Layer**: * **Prerouting**: several actions can be done in this stage, and currently these actions are defined in different parts in VyOS configuration. Order @@ -79,8 +80,8 @@ is processed at the **IP Layer**: * **Source NAT**: rules defined under ``set [nat | nat66] destination...``. -If interface where the packet was received is part of a bridge, then packet -is processed at the **Bridge Layer**, which contains a basic setup for +If the interface where the packet was received is part of a bridge, then +packetis processed at the **Bridge Layer**, which contains a basic setup for bridge filtering: * **Forward (Bridge)**: stage where traffic that is trespasing through the @@ -88,7 +89,7 @@ bridge filtering: * ``set firewall bridge forward filter ...``. -Main structure VyOS firewall cli is shown next: +The main structure VyOS firewall cli is shown next: .. code-block:: none @@ -134,7 +135,7 @@ Main structure VyOS firewall cli is shown next: - custom_zone_name + ... -Please, refer to appropiate section for more information about firewall +Please, refer to appropriate section for more information about firewall configuration: .. toctree:: diff --git a/docs/configuration/firewall/index.rst~ b/docs/configuration/firewall/index.rst~ new file mode 100644 index 00000000..bdfc2069 --- /dev/null +++ b/docs/configuration/firewall/index.rst~ @@ -0,0 +1,179 @@ +:lastproofread: 2023-11-23 + +######## +Firewall +######## + +With VyOS being based on top of Linux and its kernel, the Netfilter project +created iptables and its successor nftables for the Linux kernel to +work directly on the data flows. This now extends the concept of zone-based +security to allow for manipulating the data at multiple stages once accepted +by the network interface and the driver before being handed off to the +destination (e.g., a web server OR another device). + +A simplified traffic flow diagram, based on Netfilter packet flow, is shown next, in +order to have a full view and understanding of how packets are processed, and +what possible paths traffic can take. + +.. figure:: /_static/images/firewall-gral-packet-flow.png + +Main points regarding this packet flow and terminology used in VyOS firewall are below: + + * **Bridge Port?**: choose appropriate path based on whether interface where the + packet was received is part of a bridge, or not. + +If interface where the packet was received isn't part of a bridge, then packet +is processed at the **IP Layer**: + + * **Prerouting**: several actions can be done in this stage, and currently + these actions are defined in different parts in VyOS configuration. Order + is important, and all these actions are performed before any actions + defined under ``firewall`` section. Relevant configuration that acts in + this stage are: + + * **Conntrack Ignore**: rules defined under ``set system conntrack ignore + [ipv4 | ipv6] ...``. + + * **Policy Route**: rules defined under ``set policy [route | route6] + ...``. + + * **Destination NAT**: rules defined under ``set [nat | nat66] + destination...``. + + * **Destination is the router?**: choose appropriate path based on + destination IP address. Transit forward continues to **forward**, + while traffic that destination IP address is configured on the router + continues to **input**. + + * **Input**: stage where traffic destined for the router itself can be + filtered and controlled. This is where all rules for securing the router + should take place. This includes ipv4 and ipv6 filtering rules, defined + in: + + * ``set firewall ipv4 input filter ...``. + + * ``set firewall ipv6 input filter ...``. + + * **Forward**: stage where transit traffic can be filtered and controlled. + This includes ipv4 and ipv6 filtering rules, defined in: + + * ``set firewall ipv4 forward filter ...``. + + * ``set firewall ipv6 forward filter ...``. + + * **Output**: stage where traffic that originates from the router itself + can be filtered and controlled. Bear in mind that this traffic can be a + new connection originated by a internal process running on VyOS router, + such as NTP, or a response to traffic received externaly through + **inputt** (for example response to an ssh login attempt to the router). + This includes ipv4 and ipv6 filtering rules, defined in: + + * ``set firewall ipv4 input filter ...``. + + * ``set firewall ipv6 output filter ...``. + + * **Postrouting**: as in **Prerouting**, several actions defined in + different parts of VyOS configuration are performed in this + stage. This includes: + + * **Source NAT**: rules defined under ``set [nat | nat66] + destination...``. + +If interface where the packet was received is part of a bridge, then packet +is processed at the **Bridge Layer**, which contains a basic setup for +bridge filtering: + + * **Forward (Bridge)**: stage where traffic that is trespasing through the + bridge is filtered and controlled: + + * ``set firewall bridge forward filter ...``. + +Main structure VyOS firewall cli is shown next: + +.. code-block:: none + + - set firewall + * bridge + - forward + + filter + * flowtable + - custom_flow_table + + ... + * global-options + + all-ping + + broadcast-ping + + ... + * group + - address-group + - ipv6-address-group + - network-group + - ipv6-network-group + - interface-group + - mac-group + - port-group + - domain-group + * ipv4 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + * ipv6 + - forward + + filter + - input + + filter + - output + + filter + - ipv6-name + + custom_name + * zone + - custom_zone_name + + ... + +Please, refer to appropiate section for more information about firewall +configuration: + +.. toctree:: + :maxdepth: 1 + :includehidden: + + global-options + groups + bridge + ipv4 + ipv6 + flowtables + +.. note:: **For more information** + of Netfilter hooks and Linux networking packet flows can be + found in `Netfilter-Hooks + `_ + + +Zone-based firewall +^^^^^^^^^^^^^^^^^^^ +.. toctree:: + :maxdepth: 1 + :includehidden: + + zone + +With zone-based firewalls a new concept was implemented, in addtion to the +standard in and out traffic flows, a local flow was added. This local was for +traffic originating and destined to the router itself. Which means additional +rules were required to secure the firewall itself from the network, in +addition to the existing inbound and outbound rules from the traditional +concept above. + +To configure VyOS with the +:doc:`zone-based firewall configuration ` + +As the example image below shows, the device now needs rules to allow/block +traffic to or from the services running on the device that have open +connections on that interface. + +.. figure:: /_static/images/firewall-zonebased.png -- cgit v1.2.3 From 9ca5e9dd89eabda161d974e7359ab2716fe56464 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 6 Jan 2024 20:54:08 +0100 Subject: dns: T5900: add dont-throttle-netmasks and serve-stale-extensions powerdns features --- docs/configuration/service/dns.rst | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index 2caeb22d..7624d309 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -143,6 +143,19 @@ avoid being tracked by the provider of your upstream DNS server. 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which enabling upstream DNS server(s) to be used for reverse lookups of these zones. +.. cfgcmd:: set service dns forwarding serve-stale-extension <0-65535> + + Maximum number of times an expired record’s TTL is extended by 30s when + serving stale. Extension only occurs if a record cannot be refreshed. A + value of 0 means the Serve Stale mechanism is not used. To allow records + becoming stale to be served for an hour, use a value of 120. + +.. cfgcmd:: set service dns forwarding exclude-throttle-address + + When an authoritative server does not answer a query or sends a reply the + recursor does not like, it is throttled. Any servers matching the supplied + netmasks will never be throttled. + Example ======= @@ -381,12 +394,12 @@ By default, ddclient_ will update a dynamic dns record using the IP address directly attached to the interface. If your VyOS instance is behind NAT, your record will be updated to point to your internal IP. -Above, command syntax isn noted to configure dynamic dns on a specific interface. -It is possible to overlook the additional address option, web, when completeing -those commands. ddclient_ has another way to determine the WAN IP address, using -a web-based url to determine the external IP. Each of the commands above will -need to be modified to use 'web' as the 'interface' specified if this functionality -is to be utilized. +Above, command syntax isn noted to configure dynamic dns on a specific interface. +It is possible to overlook the additional address option, web, when completeing +those commands. ddclient_ has another way to determine the WAN IP address, using +a web-based url to determine the external IP. Each of the commands above will +need to be modified to use 'web' as the 'interface' specified if this functionality +is to be utilized. This functionality is controlled by adding the following configuration: -- cgit v1.2.3 From 8628ad46eb25d5e165cf2e03f52c2b7c7bc7b6ca Mon Sep 17 00:00:00 2001 From: Bubun Das Date: Mon, 8 Jan 2024 23:48:19 +0530 Subject: Update monitoring.rst Updated docs for influxdb --- docs/configuration/service/monitoring.rst | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/service/monitoring.rst b/docs/configuration/service/monitoring.rst index 0aa93e71..245af067 100644 --- a/docs/configuration/service/monitoring.rst +++ b/docs/configuration/service/monitoring.rst @@ -109,11 +109,11 @@ Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provided. Telegraf is the open source server agent to help you collect metrics, events and logs from your routers. -.. cfgcmd:: set service monitoring telegraf authentication organization +.. cfgcmd:: set service monitoring telegraf influxdb authentication organization Authentication organization name -.. cfgcmd:: set service monitoring telegraf authentication token +.. cfgcmd:: set service monitoring telegraf influxdb authentication token Authentication token @@ -121,11 +121,11 @@ and logs from your routers. Remote ``InfluxDB`` bucket name -.. cfgcmd:: set service monitoring port +.. cfgcmd:: set service monitoring telegraf influxdb port Remote port -.. cfgcmd:: set service monitoring telegraf url +.. cfgcmd:: set service monitoring telegraf influxdb url Remote URL @@ -138,12 +138,11 @@ An example of a configuration that sends ``telegraf`` metrics to remote .. code-block:: none - set service monitoring telegraf authentication organization 'vyos' - set service monitoring telegraf authentication token 'ZAml9Uy5wrhA...==' - set service monitoring telegraf bucket 'bucket_vyos' - set service monitoring telegraf port '8086' - set service monitoring telegraf source 'all' - set service monitoring telegraf url 'http://r1.influxdb2.local' + set service monitoring telegraf influxdb authentication organization 'vyos' + set service monitoring telegraf influxdb authentication token 'ZAml9Uy5wrhA...==' + set service monitoring telegraf influxdb bucket 'bucket_vyos' + set service monitoring telegraf influxdb port '8086' + set service monitoring telegraf influxdb url 'http://r1.influxdb2.local' .. _azure-data-explorer: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/azure_data_explorer .. _prometheus-client: https://github.com/influxdata/telegraf/tree/master/plugins/outputs/prometheus_client -- cgit v1.2.3 From dfa516d63e38eadc5e57dd143b17022c6ff2c092 Mon Sep 17 00:00:00 2001 From: Robert Göhler Date: Mon, 8 Jan 2024 21:23:37 +0100 Subject: Delete docs/configuration/firewall/index.rst~ --- docs/configuration/firewall/index.rst~ | 179 --------------------------------- 1 file changed, 179 deletions(-) delete mode 100644 docs/configuration/firewall/index.rst~ (limited to 'docs/configuration') diff --git a/docs/configuration/firewall/index.rst~ b/docs/configuration/firewall/index.rst~ deleted file mode 100644 index bdfc2069..00000000 --- a/docs/configuration/firewall/index.rst~ +++ /dev/null @@ -1,179 +0,0 @@ -:lastproofread: 2023-11-23 - -######## -Firewall -######## - -With VyOS being based on top of Linux and its kernel, the Netfilter project -created iptables and its successor nftables for the Linux kernel to -work directly on the data flows. This now extends the concept of zone-based -security to allow for manipulating the data at multiple stages once accepted -by the network interface and the driver before being handed off to the -destination (e.g., a web server OR another device). - -A simplified traffic flow diagram, based on Netfilter packet flow, is shown next, in -order to have a full view and understanding of how packets are processed, and -what possible paths traffic can take. - -.. figure:: /_static/images/firewall-gral-packet-flow.png - -Main points regarding this packet flow and terminology used in VyOS firewall are below: - - * **Bridge Port?**: choose appropriate path based on whether interface where the - packet was received is part of a bridge, or not. - -If interface where the packet was received isn't part of a bridge, then packet -is processed at the **IP Layer**: - - * **Prerouting**: several actions can be done in this stage, and currently - these actions are defined in different parts in VyOS configuration. Order - is important, and all these actions are performed before any actions - defined under ``firewall`` section. Relevant configuration that acts in - this stage are: - - * **Conntrack Ignore**: rules defined under ``set system conntrack ignore - [ipv4 | ipv6] ...``. - - * **Policy Route**: rules defined under ``set policy [route | route6] - ...``. - - * **Destination NAT**: rules defined under ``set [nat | nat66] - destination...``. - - * **Destination is the router?**: choose appropriate path based on - destination IP address. Transit forward continues to **forward**, - while traffic that destination IP address is configured on the router - continues to **input**. - - * **Input**: stage where traffic destined for the router itself can be - filtered and controlled. This is where all rules for securing the router - should take place. This includes ipv4 and ipv6 filtering rules, defined - in: - - * ``set firewall ipv4 input filter ...``. - - * ``set firewall ipv6 input filter ...``. - - * **Forward**: stage where transit traffic can be filtered and controlled. - This includes ipv4 and ipv6 filtering rules, defined in: - - * ``set firewall ipv4 forward filter ...``. - - * ``set firewall ipv6 forward filter ...``. - - * **Output**: stage where traffic that originates from the router itself - can be filtered and controlled. Bear in mind that this traffic can be a - new connection originated by a internal process running on VyOS router, - such as NTP, or a response to traffic received externaly through - **inputt** (for example response to an ssh login attempt to the router). - This includes ipv4 and ipv6 filtering rules, defined in: - - * ``set firewall ipv4 input filter ...``. - - * ``set firewall ipv6 output filter ...``. - - * **Postrouting**: as in **Prerouting**, several actions defined in - different parts of VyOS configuration are performed in this - stage. This includes: - - * **Source NAT**: rules defined under ``set [nat | nat66] - destination...``. - -If interface where the packet was received is part of a bridge, then packet -is processed at the **Bridge Layer**, which contains a basic setup for -bridge filtering: - - * **Forward (Bridge)**: stage where traffic that is trespasing through the - bridge is filtered and controlled: - - * ``set firewall bridge forward filter ...``. - -Main structure VyOS firewall cli is shown next: - -.. code-block:: none - - - set firewall - * bridge - - forward - + filter - * flowtable - - custom_flow_table - + ... - * global-options - + all-ping - + broadcast-ping - + ... - * group - - address-group - - ipv6-address-group - - network-group - - ipv6-network-group - - interface-group - - mac-group - - port-group - - domain-group - * ipv4 - - forward - + filter - - input - + filter - - output - + filter - - name - + custom_name - * ipv6 - - forward - + filter - - input - + filter - - output - + filter - - ipv6-name - + custom_name - * zone - - custom_zone_name - + ... - -Please, refer to appropiate section for more information about firewall -configuration: - -.. toctree:: - :maxdepth: 1 - :includehidden: - - global-options - groups - bridge - ipv4 - ipv6 - flowtables - -.. note:: **For more information** - of Netfilter hooks and Linux networking packet flows can be - found in `Netfilter-Hooks - `_ - - -Zone-based firewall -^^^^^^^^^^^^^^^^^^^ -.. toctree:: - :maxdepth: 1 - :includehidden: - - zone - -With zone-based firewalls a new concept was implemented, in addtion to the -standard in and out traffic flows, a local flow was added. This local was for -traffic originating and destined to the router itself. Which means additional -rules were required to secure the firewall itself from the network, in -addition to the existing inbound and outbound rules from the traditional -concept above. - -To configure VyOS with the -:doc:`zone-based firewall configuration ` - -As the example image below shows, the device now needs rules to allow/block -traffic to or from the services running on the device that have open -connections on that interface. - -.. figure:: /_static/images/firewall-zonebased.png -- cgit v1.2.3 From cecc0f3c32afb455ddb006b35faf343877061443 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 8 Jan 2024 21:29:11 +0100 Subject: https: add latest CLI changes --- docs/configuration/service/https.rst | 78 +++++++++++++++++------------------- 1 file changed, 37 insertions(+), 41 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index eb2e30eb..973c5355 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -1,7 +1,7 @@ .. _http-api: ######## -HTTP-API +HTTP API ######## VyOS provide an HTTP API. You can use it to execute op-mode commands, @@ -13,75 +13,71 @@ Please take a look at the :ref:`vyosapi` page for an detailed how-to. Configuration ************* -.. cfgcmd:: set service https api keys id key +.. cfgcmd:: set service https allow-client address
- Set a named api key. Every key has the same, full permissions - on the system. + Only allow certain IP addresses or prefixes to access the https + webserver. -.. cfgcmd:: set service https api debug +.. cfgcmd:: set service https certificates ca-certificate - To enable debug messages. Available via :opcmd:`show log` or - :opcmd:`monitor log` + Use CA certificate from PKI subsystem -.. cfgcmd:: set service https api strict +.. cfgcmd:: set service https certificates certificate - Enforce strict path checking + Use certificate from PKI subsystem -.. cfgcmd:: set service https virtual-host listen-address - +.. cfgcmd:: set service https certificates dh-params - Address to listen for HTTPS requests + Use :abbr:`DH (Diffie–Hellman)` parameters from PKI subsystem. + Must be at least 2048 bits in length. -.. cfgcmd:: set service https virtual-host port <1-65535> +.. cfgcmd:: set service https listen-address
- Port to listen for HTTPS requests; default 443 + Webserver should only listen on specified IP address -.. cfgcmd:: set service https virtual-host server-name +.. cfgcmd:: set service https port - Server names for virtual hosts it can be exact, wildcard or regex. + Webserver should listen on specified port. -.. cfgcmd:: set service https api-restrict virtual-host + Default: 443 - By default, nginx exposes the local API on all virtual servers. - Use this to restrict nginx to one or more virtual hosts. +.. cfgcmd:: set service https enable-http-redirect -.. cfgcmd:: set service https certificates certbot domain-name + Enable automatic redirect from http to https. - Domain name(s) for which to obtain certificate +.. cfgcmd:: set service https tls-version <1.2 | 1.3> -.. cfgcmd:: set service https certificates certbot email + Select TLS version used. - Email address to associate with certificate + This defaults to both 1.2 and 1.3. -.. cfgcmd:: set service https certificates system-generated-certificate +.. cfgcmd:: set service https vrf - Use an automatically generated self-signed certificate + Start Webserver in given VRF. -.. cfgcmd:: set service https certificates system-generated-certificate - lifetime +API +=== - Lifetime in days; default is 365 +.. cfgcmd:: set service https api keys id key + Set a named api key. Every key has the same, full permissions + on the system. -********************* -Example Configuration -********************* +.. cfgcmd:: set service https api debug -Set an API-KEY is the minimal configuration to get a working API Endpoint. + To enable debug messages. Available via :opcmd:`show log` or + :opcmd:`monitor log` -.. code-block:: none +.. cfgcmd:: set service https api strict - set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY + Enforce strict path checking +********************* +Example Configuration +********************* -To use this full configuration we asume a public accessible hostname. +Set an API-KEY is the minimal configuration to get a working API Endpoint. .. code-block:: none set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY - set service https certificates certbot domain-name rtr01.example.com - set service https certificates certbot email mail@example.com - set service https virtual-host rtr01 listen-address 198.51.100.2 - set service https virtual-host rtr01 port 11443 - set service https virtual-host rtr01 server-name rtr01.example.com - set service https api-restrict virtual-host rtr01 -- cgit v1.2.3 From a2666e8e13b01b7becef274dd97f77f4ce39a91b Mon Sep 17 00:00:00 2001 From: Nicolas Vollmar Date: Wed, 10 Jan 2024 08:51:08 +0100 Subject: fix spelling --- docs/_locale/de/configuration.pot | 4 ++-- docs/_locale/es/configuration.pot | 2 +- docs/_locale/ja/configuration.pot | 4 ++-- docs/_locale/pt/configuration.pot | 4 ++-- docs/_locale/uk/configuration.pot | 4 ++-- docs/configuration/loadbalancing/reverse-proxy.rst | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) (limited to 'docs/configuration') diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot index 6641dd72..df607936 100644 --- a/docs/_locale/de/configuration.pot +++ b/docs/_locale/de/configuration.pot @@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." #: ../../configuration/loadbalancing/reverse-proxy.rst:108 -msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" -msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" +msgid "``least-connection`` Distributes requests to the server with the fewest active connections" +msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" #: ../../configuration/vpn/ipsec.rst:125 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" diff --git a/docs/_locale/es/configuration.pot b/docs/_locale/es/configuration.pot index 88324a87..0f90f6ac 100644 --- a/docs/_locale/es/configuration.pot +++ b/docs/_locale/es/configuration.pot @@ -19468,7 +19468,7 @@ msgid "``latency``: A server profile focused on lowering network latency. This p msgstr "``latency``: un perfil de servidor centrado en reducir la latencia de la red. Este perfil favorece el rendimiento sobre el ahorro de energía configurando ``intel_pstate`` y ``min_perf_pct=100``." #: ../../configuration/loadbalancing/reverse-proxy.rst:108 -msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" +msgid "``least-connection`` Distributes requests to the server with the fewest active connections" msgstr "``least-connection`` Distribuye las solicitudes al servidor con la menor cantidad de conexiones activas" #: ../../configuration/vpn/ipsec.rst:125 diff --git a/docs/_locale/ja/configuration.pot b/docs/_locale/ja/configuration.pot index b76eeeb0..7a5f67f1 100644 --- a/docs/_locale/ja/configuration.pot +++ b/docs/_locale/ja/configuration.pot @@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." #: ../../configuration/loadbalancing/reverse-proxy.rst:108 -msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" -msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" +msgid "``least-connection`` Distributes requests to the server with the fewest active connections" +msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" #: ../../configuration/vpn/ipsec.rst:125 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" diff --git a/docs/_locale/pt/configuration.pot b/docs/_locale/pt/configuration.pot index dbe8970c..8b7aff49 100644 --- a/docs/_locale/pt/configuration.pot +++ b/docs/_locale/pt/configuration.pot @@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." #: ../../configuration/loadbalancing/reverse-proxy.rst:108 -msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" -msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" +msgid "``least-connection`` Distributes requests to the server with the fewest active connections" +msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" #: ../../configuration/vpn/ipsec.rst:125 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" diff --git a/docs/_locale/uk/configuration.pot b/docs/_locale/uk/configuration.pot index a3a1a512..1a912c61 100644 --- a/docs/_locale/uk/configuration.pot +++ b/docs/_locale/uk/configuration.pot @@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``." #: ../../configuration/loadbalancing/reverse-proxy.rst:108 -msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" -msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections" +msgid "``least-connection`` Distributes requests to the server with the fewest active connections" +msgstr "``least-connection`` Distributes requests to the server with the fewest active connections" #: ../../configuration/vpn/ipsec.rst:125 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;" diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst index 04b612f5..19ef3773 100644 --- a/docs/configuration/loadbalancing/reverse-proxy.rst +++ b/docs/configuration/loadbalancing/reverse-proxy.rst @@ -105,7 +105,7 @@ Backend of the client * ``round-robin`` Distributes requests in a circular manner, sequentially sending each request to the next server in line - * ``least-connection`` Distributes requests tp tje server wotj the fewest + * ``least-connection`` Distributes requests to the server with the fewest active connections .. cfgcmd:: set load-balancing reverse-proxy backend mode -- cgit v1.2.3 From 1b1cc7986813c65b608ace38bf497622eb74f1cf Mon Sep 17 00:00:00 2001 From: Trae Santiago Date: Wed, 10 Jan 2024 11:13:38 -0600 Subject: added new NPTv6/DHCPv6 example --- .../images/vyos_1_5_nat66_dhcpv6_wdummy.png | Bin 0 -> 349078 bytes docs/configuration/nat/nat66.rst | 97 +++++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png (limited to 'docs/configuration') diff --git a/docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png b/docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png new file mode 100644 index 00000000..297fdd11 Binary files /dev/null and b/docs/_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png differ diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index 66cceb0a..9345e708 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -137,3 +137,100 @@ R2: set interfaces bridge br1 member interface eth1 set protocols static route6 ::/0 next-hop fc01::1 set service router-advert interface br1 prefix ::/0 + + +Use the following topology to translate internal user local addresses (``fc::/7``) +to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair. + +.. figure:: /_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png + :alt: VyOS NAT66 DHCPv6 using a dummy interface + +Configure both routers (a and b) for DHCPv6-PD via dummy interface: + +.. code-block:: none + + set interfaces dummy dum1 description 'DHCPv6-PD NPT dummy' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 0 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 1 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 2 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options pd 3 interface dum1 address '0' + set interfaces bonding bond0 vif 20 dhcpv6-options rapid-commit + commit + +Get the DHCPv6-PD prefixes from both routers: + +.. code-block:: none + + trae@cr01a-vyos# run show interfaces dummy dum1 br + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + dum1 2001:db8:123:b008::/64 u/u DHCPv6-PD NPT dummy + 2001:db8:123:b00a::/64 + 2001:db8:123:b00b::/64 + 2001:db8:123:b009::/64 + + trae@cr01b-vyos# run show int dummy dum1 brief + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + dum1 2001:db8:123:b00d::/64 u/u DHCPv6-PD NPT dummy + 2001:db8:123:b00c::/64 + 2001:db8:123:b00e::/64 + 2001:db8:123:b00f::/64 + +Configure the A-side router for NPTv6 using the prefixes above: + +.. code-block:: none + + set nat66 source rule 10 description 'NPT to VLAN 10' + set nat66 source rule 10 outbound-interface name 'bond0.20' + set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' + set nat66 source rule 10 translation address '2001:db8:123:b008::/64' + set nat66 source rule 20 description 'NPT to VLAN 70' + set nat66 source rule 20 outbound-interface name 'bond0.20' + set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' + set nat66 source rule 20 translation address '2001:db8:123:b009::/64' + set nat66 source rule 30 description 'NPT to VLAN 200' + set nat66 source rule 30 outbound-interface name 'bond0.20' + set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' + set nat66 source rule 30 translation address '2001:db8:123:b00a::/64' + set nat66 source rule 40 description 'NPT to VLAN 240' + set nat66 source rule 40 outbound-interface name 'bond0.20' + set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' + set nat66 source rule 40 translation address '2001:db8:123:b00b::/64' + commit + +Configure the B-side router for NPTv6 using the prefixes above: + +.. code-block:: none + + set nat66 source rule 10 description 'NPT to VLAN 10' + set nat66 source rule 10 outbound-interface name 'bond0.20' + set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64' + set nat66 source rule 10 translation address '2001:db8:123:b00c::/64' + set nat66 source rule 20 description 'NPT to VLAN 70' + set nat66 source rule 20 outbound-interface name 'bond0.20' + set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64' + set nat66 source rule 20 translation address '2001:db8:123:b00d::/64' + set nat66 source rule 30 description 'NPT to VLAN 200' + set nat66 source rule 30 outbound-interface name 'bond0.20' + set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64' + set nat66 source rule 30 translation address '2001:db8:123:b00e::/64' + set nat66 source rule 40 description 'NPT to VLAN 240' + set nat66 source rule 40 outbound-interface name 'bond0.20' + set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64' + set nat66 source rule 40 translation address '2001:db8:123:b00f::/64' + commit + +Verify that connections are hitting the rule on both sides: + +.. code-block:: none + + trae@cr01a-vyos# run show nat66 source statistics + Rule Packets Bytes Interface + ------ --------- ------- ----------- + 10 1 104 bond0.20 + 20 1 104 bond0.20 + 30 8093 669445 bond0.20 + 40 2446 216912 bond0.20 -- cgit v1.2.3 From ad7eaafed56898ddc0377d37efa57f6339d8ef9f Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Wed, 10 Jan 2024 12:53:01 +0100 Subject: dhcp: T3316: Update documentation for Kea implementation --- .../_include/dhcp-server.conf | 2 +- docs/configuration/service/dhcp-server.rst | 131 ++------------------- docs/installation/install.rst | 8 +- docs/quick-start.rst | 6 +- 4 files changed, 20 insertions(+), 127 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf b/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf index 9c4b612a..a3a7f27e 100644 --- a/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf +++ b/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf @@ -8,6 +8,6 @@ set protocols static route 10.0.10.0/24 next-hop 10.0.20.254 set protocols static route 192.168.0.0/24 next-hop 127.16.0.2 set service dhcp-server listen-address '172.16.0.1' set service dhcp-server shared-network-name DHCPTun100 authoritative -set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 default-router '192.168.0.254' +set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 option default-router '192.168.0.254' set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 start '192.168.0.30' set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30' \ No newline at end of file diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 0cc10feb..e20fc251 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -4,7 +4,7 @@ DHCP Server ########### -VyOS uses ISC DHCP server for both IPv4 and IPv6 address assignment. +VyOS uses Kea DHCP server for both IPv4 and IPv6 address assignment. *********** IPv4 server @@ -26,12 +26,7 @@ Configuration Create DNS record per client lease, by adding clients to /etc/hosts file. Entry will have format: `_.` -.. cfgcmd:: set service dhcp-server host-decl-name - - Will drop `_` from client DNS record, using only the - host declaration name and domain: `.` - -.. cfgcmd:: set service dhcp-server shared-network-name domain-name +.. cfgcmd:: set service dhcp-server shared-network-name option domain-name The domain-name parameter should be the domain name that will be appended to the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP @@ -40,7 +35,7 @@ Configuration This is the configuration parameter for the entire shared network definition. All subnets will inherit this configuration item if not specified locally. -.. cfgcmd:: set service dhcp-server shared-network-name domain-search +.. cfgcmd:: set service dhcp-server shared-network-name option domain-search The domain-name parameter should be the domain name used when completing DNS request where no full FQDN is passed. This option can be given multiple times @@ -49,7 +44,7 @@ Configuration This is the configuration parameter for the entire shared network definition. All subnets will inherit this configuration item if not specified locally. -.. cfgcmd:: set service dhcp-server shared-network-name name-server
+.. cfgcmd:: set service dhcp-server shared-network-name option name-server
Inform client that the DNS server can be found at `
`. @@ -58,21 +53,6 @@ Configuration Multiple DNS servers can be defined. -.. cfgcmd:: set service dhcp-server shared-network-name ping-check - - When the DHCP server is considering dynamically allocating an IP address to a - client, it first sends an ICMP Echo request (a ping) to the address being - assigned. It waits for a second, and if no ICMP Echo response has been heard, - it assigns the address. - - If a response is heard, the lease is abandoned, and the server does not - respond to the client. The lease will remain abandoned for a minimum of - abandon-lease-time seconds (defaults to 24 hours). - - If there are no free addresses but there are abandoned IP addresses, the - DHCP server will attempt to reclaim an abandoned IP address regardless of the - value of abandon-lease-time. - .. cfgcmd:: set service dhcp-server listen-address
This configuration parameter lets the DHCP server to listen for DHCP @@ -91,14 +71,14 @@ Individual Client Subnet network. .. cfgcmd:: set service dhcp-server shared-network-name subnet - default-router
+ option default-router
This is a configuration parameter for the ``, saying that as part of the response, tell the client that the default gateway can be reached at `
`. .. cfgcmd:: set service dhcp-server shared-network-name subnet - name-server
+ option name-server
This is a configuration parameter for the subnet, saying that as part of the response, tell the client that the DNS server can be found at `
`. @@ -133,40 +113,19 @@ Individual Client Subnet This option can be specified multiple times. .. cfgcmd:: set service dhcp-server shared-network-name subnet - domain-name + option domain-name The domain-name parameter should be the domain name that will be appended to the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP Option 015). .. cfgcmd:: set service dhcp-server shared-network-name subnet - domain-search + option domain-search The domain-name parameter should be the domain name used when completing DNS request where no full FQDN is passed. This option can be given multiple times if you need multiple search domains (DHCP Option 119). -.. cfgcmd:: set service dhcp-server shared-network-name subnet - ping-check - - When the DHCP server is considering dynamically allocating an IP address to a - client, it first sends an ICMP Echo request (a ping) to the address being - assigned. It waits for a second, and if no ICMP Echo response has been heard, - it assigns the address. - - If a response is heard, the lease is abandoned, and the server does not - respond to the client. The lease will remain abandoned for a minimum of - abandon-lease-time seconds (defaults to 24 hours). - - If a there are no free addresses but there are abandoned IP addresses, the - DHCP server will attempt to reclaim an abandoned IP address regardless of the - value of abandon-lease-time. - -.. cfgcmd:: set service dhcp-server shared-network-name subnet - enable-failover - - Enable DHCP failover configuration for this address pool. - Failover -------- @@ -391,32 +350,6 @@ Options Multi: can be specified multiple times. -Raw Parameters -============== - -Raw parameters can be passed to shared-network-name, subnet and static-mapping: - -.. code-block:: none - - set service dhcp-server shared-network-name shared-network-parameters - Additional shared-network parameters for DHCP server. - set service dhcp-server shared-network-name subnet subnet-parameters - Additional subnet parameters for DHCP server. - set service dhcp-server shared-network-name subnet static-mapping static-mapping-parameters - Additional static-mapping parameters for DHCP server. - Will be placed inside the "host" block of the mapping. - -These parameters are passed as-is to isc-dhcp's dhcpd.conf under the -configuration node they are defined in. They are not validated so an error in -the raw parameters won't be caught by vyos's scripts and will cause dhcpd to -fail to start. Always verify that the parameters are correct before committing -the configuration. Refer to isc-dhcp's dhcpd.conf manual for more information: -https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf - -Quotes can be used inside parameter values by replacing all quote characters -with the string ``"``. They will be replaced with literal quote characters -when generating dhcpd.conf. - Example ======= @@ -439,12 +372,11 @@ Common configuration, valid for both primary and secondary node. .. code-block:: none - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 default-router '192.0.2.254' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 name-server '192.0.2.254' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 domain-name 'vyos.net' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option default-router '192.0.2.254' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option name-server '192.0.2.254' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option domain-name 'vyos.net' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250' - set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 enable-failover **Primary** @@ -467,47 +399,6 @@ Common configuration, valid for both primary and secondary node. .. _dhcp-server:v4_example_raw: -Raw Parameters --------------- - -* Override static-mapping's name-server with a custom one that will be sent only - to this host. -* An option that takes a quoted string is set by replacing all quote characters - with the string ``"`` inside the static-mapping-parameters value. - The resulting line in dhcpd.conf will be - ``option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";``. - - -.. code-block:: none - - set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11, 192.0.2.12;" - set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option pxelinux.configfile "pxelinux.cfg/01-00-15-17-44-2d-aa";" - -Option 43 for UniFI -------------------- - -* These parameters need to be part of the DHCP global options. - They stay unchanged. - - -.. code-block:: none - - set service dhcp-server global-parameters 'option space ubnt;' - set service dhcp-server global-parameters 'option ubnt.unifi-address code 1 = ip-address;' - set service dhcp-server global-parameters 'class "ubnt" {' - set service dhcp-server global-parameters 'match if substring (option vendor-class-identifier, 0, 4) = "ubnt";' - set service dhcp-server global-parameters 'option vendor-class-identifier "ubnt";' - set service dhcp-server global-parameters 'vendor-option-space ubnt;' - set service dhcp-server global-parameters '}' - -* Now we add the option to the scope, adapt to your setup - - -.. code-block:: none - - set service dhcp-server shared-network-name example-scope subnet 10.1.1.0/24 subnet-parameters 'option ubnt.unifi-address 172.16.1.10;' - - Operation Mode ============== diff --git a/docs/installation/install.rst b/docs/installation/install.rst index 2bbce8ee..bf0f11fe 100644 --- a/docs/installation/install.rst +++ b/docs/installation/install.rst @@ -458,9 +458,11 @@ In this example we configured an existent VyOS as the DHCP server: vyos@vyos# show service dhcp-server shared-network-name mydhcp { subnet 192.168.1.0/24 { - bootfile-name pxelinux.0 - bootfile-server 192.168.1.50 - default-router 192.168.1.50 + option { + bootfile-name pxelinux.0 + bootfile-server 192.168.1.50 + default-router 192.168.1.50 + } range 0 { start 192.168.1.70 stop 192.168.1.100 diff --git a/docs/quick-start.rst b/docs/quick-start.rst index c8bb3f04..44ff99ff 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -93,9 +93,9 @@ DNS server. .. code-block:: none - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1' - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 name-server '192.168.0.1' - set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'vyos.net' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option default-router '192.168.0.1' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '192.168.0.1' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-name 'vyos.net' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start '192.168.0.9' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254' -- cgit v1.2.3 From 3864aa6aafd592e5d8b93dbede9004ccbf001e88 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Thu, 11 Jan 2024 02:12:07 +0100 Subject: dhcp: dhcpv6: T3316: Update documentation for inclusion of `subnet-id` --- .../DHCPRelay_through_GRE/_include/dhcp-server.conf | 3 ++- docs/configuration/service/dhcp-server.rst | 17 +++++++++++++++++ docs/installation/install.rst | 1 + docs/quick-start.rst | 1 + 4 files changed, 21 insertions(+), 1 deletion(-) (limited to 'docs/configuration') diff --git a/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf b/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf index a3a7f27e..20c8dd10 100644 --- a/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf +++ b/docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf @@ -10,4 +10,5 @@ set service dhcp-server listen-address '172.16.0.1' set service dhcp-server shared-network-name DHCPTun100 authoritative set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 option default-router '192.168.0.254' set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 start '192.168.0.30' -set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30' \ No newline at end of file +set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30' +set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 subnet-id '1' \ No newline at end of file diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index e20fc251..c51a0aff 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -70,6 +70,12 @@ Individual Client Subnet any device trying to request an IP address that is not valid for this network. +.. cfgcmd:: set service dhcp-server shared-network-name subnet + subnet-id + + This configuration parameter is required and must be unique to each subnet. + It is required to map subnets to lease file entries. + .. cfgcmd:: set service dhcp-server shared-network-name subnet option default-router
@@ -197,6 +203,7 @@ inside the subnet definition but can be outside of the range statement. .. code-block:: none + set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1 set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100 set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00 @@ -210,6 +217,7 @@ The configuration will look as follows: ip-address 192.168.1.100 mac-address aa:bb:11:22:33:00 } + subnet-id 1 } Options @@ -377,6 +385,7 @@ Common configuration, valid for both primary and secondary node. set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 option domain-name 'vyos.net' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 start '192.0.2.10' set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 range 0 stop '192.0.2.250' + set service dhcp-server shared-network-name NET-VYOS subnet 192.0.2.0/24 subnet-id '1' **Primary** @@ -505,6 +514,12 @@ Configuration Clients receiving advertise messages from multiple servers choose the server with the highest preference value. The range for this value is ``0...255``. +.. cfgcmd:: set service dhcpv6-server shared-network-name subnet + subnet-id + + This configuration parameter is required and must be unique to each subnet. + It is required to map subnets to lease file entries. + .. cfgcmd:: set service dhcpv6-server shared-network-name subnet lease-time {default | maximum | minimum} @@ -581,6 +596,7 @@ server. The following example describes a common scenario. set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199 set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1 The configuration will look as follows: @@ -595,6 +611,7 @@ The configuration will look as follows: } } name-server 2001:db8::ffff + subnet-id 1 } } diff --git a/docs/installation/install.rst b/docs/installation/install.rst index bf0f11fe..17bccfbd 100644 --- a/docs/installation/install.rst +++ b/docs/installation/install.rst @@ -467,6 +467,7 @@ In this example we configured an existent VyOS as the DHCP server: start 192.168.1.70 stop 192.168.1.100 } + subnet-id 1 } } diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 44ff99ff..05e278ad 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -99,6 +99,7 @@ DNS server. set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start '192.168.0.9' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254' + set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 subnet-id '1' set service dns forwarding cache-size '0' set service dns forwarding listen-address '192.168.0.1' -- cgit v1.2.3 From 85ef13b14fa37b8780f6e6c8220bc54366c72741 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Thu, 11 Jan 2024 09:46:26 -0300 Subject: Add opmode commands for firewall zones, and add global state-policies in quick-start --- docs/configuration/firewall/zone.rst | 38 ++++++++++++++++++++++++++++++++++++ docs/quick-start.rst | 31 +++++++++++++++++++++-------- 2 files changed, 61 insertions(+), 8 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 1ab9c630..059b029d 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -123,3 +123,41 @@ written from the perspective of: *Source Zone*-to->*Destination Zone* set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4 set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4 +************** +Operation-mode +************** + +.. opcmd:: show firewall zone-policy + + This will show you a basic summary of zones configuration. + + .. code-block:: none + + vyos@vyos:~$ show firewall zone-policy + Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 + ------ ------------ ----------- --------------- --------------- + LAN eth1 WAN WAN_to_LAN + eth2 + LOCAL LOCAL LAN LAN_to_LOCAL + WAN WAN_to_LOCAL WAN_to_LOCAL_v6 + WAN eth3 LAN LAN_to_WAN + eth0 LOCAL LOCAL_to_WAN + vyos@vyos:~$ + +.. opcmd:: show firewall zone-policy zone + + This will show you a basic summary of a particular zone. + + .. code-block:: none + + vyos@vyos:~$ show firewall zone-policy zone WAN + Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 + ------ ------------ ----------- --------------- --------------- + WAN eth3 LAN LAN_to_WAN + eth0 LOCAL LOCAL_to_WAN + vyos@vyos:~$ show firewall zone-policy zone LOCAL + Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 + ------ ------------ ----------- --------------- --------------- + LOCAL LOCAL LAN LAN_to_LOCAL + WAN WAN_to_LOCAL WAN_to_LOCAL_v6 + vyos@vyos:~$ diff --git a/docs/quick-start.rst b/docs/quick-start.rst index c8bb3f04..bbd7ab77 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -141,7 +141,7 @@ networks, addresses, ports, and domains that describe different parts of our network. We can then use them for filtering within our firewall rulesets, allowing for more concise and readable configuration. -In this case, we will create two interface groups—a ``WAN`` group for our +In this case, we will create two interface groups — a ``WAN`` group for our interfaces connected to the public internet and a ``LAN`` group for the interfaces connected to our internal network. Additionally, we will create a network group, ``NET-INSIDE-v4``, that contains our internal subnet. @@ -156,10 +156,26 @@ Configure Stateful Packet Filtering ----------------------------------- With the new firewall structure, we have have a lot of flexibility in how we -group and order our rules, as shown by the two alternative approaches below. +group and order our rules, as shown by the three alternative approaches below. -Option 1: Common Chain -^^^^^^^^^^^^^^^^^^^^^^ +Option 1: Global State Policies +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Using options defined in ``set firewall global-options state-policy``, state +policy rules that applies for both IPv4 and IPv6 are created. These global +state policies also applies for all traffic that passes through the router +(transit) and for traffic originated/destinated to/from the router itself, and +will be avaluated before any other rule defined in the firewall. + +Most installations would choose this option, and will contain: + +.. code-block:: none + + set firewall global-options state-policy established action accept + set firewall global-options state-policy related action accept + set firewall global-options state-policy invalid action drop + +Option 2: Common/Custom Chain +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ We can create a common chain for stateful connection filtering of multiple interfaces (or multiple netfilter hooks on one interface). Those individual @@ -196,12 +212,11 @@ hooks as the first filtering rule in the respective chains: set firewall ipv4 input filter rule 10 action 'jump' set firewall ipv4 input filter rule 10 jump-target CONN_FILTER -Option 2: Per-Hook Chain +Option 3: Per-Hook Chain ^^^^^^^^^^^^^^^^^^^^^^^^ -Alternatively, instead of configuring the ``CONN_FILTER`` chain described above, -you can take the more traditional stateful connection filtering approach by -creating rules on each hook's chain: +Alternatively, you can take the more traditional stateful connection +filtering approach by creating rules on each base hook's chain: .. code-block:: none -- cgit v1.2.3 From 3b50e4600a2db1abaff3d4049bd6627a272b00dc Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Sat, 13 Jan 2024 00:53:52 +0100 Subject: Update syntax for Kea option change --- docs/configuration/service/dhcp-server.rst | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index c51a0aff..b99e5baa 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -528,35 +528,35 @@ Configuration values need to be supplied in seconds. .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - nis-domain + option nis-domain A :abbr:`NIS (Network Information Service)` domain can be set to be used for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - nisplus-domain + option nisplus-domain The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)` domain is similar to the NIS domain one: .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - nis-server
+ option nis-server
Specify a NIS server address for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - nisplus-server
+ option nisplus-server
Specify a NIS+ server address for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - sip-server
+ option sip-server
Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6 address of Fully Qualified Domain Name for all DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name subnet - sntp-server-address
+ option sntp-server-address
A SNTP server address can be specified for DHCPv6 clients. @@ -594,8 +594,9 @@ server. The following example describes a common scenario. .. code-block:: none - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199 - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 range 1 start 2001:db8::100 stop 2001:db8::199 + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 range 1 stop 2001:db8::199 + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 option name-server 2001:db8::ffff set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1 The configuration will look as follows: @@ -605,12 +606,13 @@ The configuration will look as follows: show service dhcpv6-server shared-network-name NET1 { subnet 2001:db8::/64 { - address-range { - start 2001:db8::100 { - stop 2001:db8::199 - } + range 1 { + start 2001:db8::100 + stop 2001:db8::199 + } + option { + name-server 2001:db8::ffff } - name-server 2001:db8::ffff subnet-id 1 } } -- cgit v1.2.3 From e6ade0470d59cf0ed45101f525e80d575f3a08d4 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Sun, 14 Jan 2024 17:40:18 +0100 Subject: dhcp: T3316: Update documentation for changes in PR vyos/vyos-1x#2650 --- docs/configuration/service/dhcp-server.rst | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index b99e5baa..6813d2c0 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -178,11 +178,17 @@ MAC address of the station and your desired IP address. The address must be inside the subnet definition but can be outside of the range statement. .. cfgcmd:: set service dhcp-server shared-network-name subnet - static-mapping mac-address
+ static-mapping mac
Create a new DHCP static mapping named `` which is valid for the host identified by its MAC `
`. +.. cfgcmd:: set service dhcp-server shared-network-name subnet + static-mapping duid + + Create a new DHCP static mapping named `` which is valid for + the host identified by its DHCP unique identifier (DUID) ``. + .. cfgcmd:: set service dhcp-server shared-network-name subnet static-mapping ip-address
@@ -205,7 +211,7 @@ inside the subnet definition but can be outside of the range statement. set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1 set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100 - set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00 + set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac aa:bb:11:22:33:00 The configuration will look as follows: @@ -215,7 +221,7 @@ The configuration will look as follows: subnet 192.168.1.0/24 { static-mapping client1 { ip-address 192.168.1.100 - mac-address aa:bb:11:22:33:00 + mac aa:bb:11:22:33:00 } subnet-id 1 } @@ -641,7 +647,7 @@ be created. The following example explains the process. set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-address 2001:db8::101 set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-prefix 2001:db8:0:101::/64 - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 duid 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff The configuration will look as follows: @@ -652,7 +658,7 @@ The configuration will look as follows: show service dhcpv6-server shared-network-name NET1 subnet 2001:db8::/64 { static-mapping client1 { - identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff + duid 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff ipv6-address 2001:db8::101 ipv6-prefix 2001:db8:0:101::/64 } -- cgit v1.2.3 From cfb7e8186d83e45092f361f9717c9542bfad053b Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Fri, 19 Jan 2024 12:39:38 +0200 Subject: Updated DPD and close-action values in IPSEC Changed from 'hold' to 'trap' and from 'restart' to 'start' in close-action. Changed from 'hold' to 'trap' in DPD action. --- docs/_static/images/IPSec_close_action_settings.jpg | Bin 62330 -> 70253 bytes docs/configuration/vpn/ipsec.rst | 12 +++++++----- docs/configuration/vpn/site2site_ipsec.rst | 12 ++++++------ 3 files changed, 13 insertions(+), 11 deletions(-) (limited to 'docs/configuration') diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg index 6996f857..a4e258cc 100644 Binary files a/docs/_static/images/IPSec_close_action_settings.jpg and b/docs/_static/images/IPSec_close_action_settings.jpg differ diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index b6ee86af..fad69bc3 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -49,9 +49,9 @@ VyOS IKE group has the next options: * ``none`` set action to none (default); - * ``hold`` set action to hold; + * ``trap`` installs a trap policy for the CHILD_SA; - * ``restart`` set action to restart; + * ``start`` tries to immediately re-create the CHILD_SA; * ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty @@ -60,11 +60,13 @@ VyOS IKE group has the next options: * ``action`` keep-alive failure action: - * ``hold`` set action to hold (default) + * ``trap`` installs a trap policy, which will catch matching traffic + and tries to re-negotiate the tunnel on-demand; - * ``clear`` set action to clear; + * ``clear`` closes the CHILD_SA and does not take further action (default); - * ``restart`` set action to restart; + * ``restart`` immediately tries to re-negotiate the CHILD_SA + under a fresh IKE_SA; * ``interval`` keep-alive interval in seconds <2-86400> (default 30); diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 23df1b76..78cadfb5 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -317,7 +317,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike @@ -357,7 +357,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike @@ -397,18 +397,18 @@ Key Parameters: routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration. -* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE +* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The - values clear, hold, and restart all activate DPD and determine the action to + values clear, trap, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. - ``hold`` installs a trap policy, which will catch matching traffic and tries + ``trap`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection. -* ``close-action = none | clear | hold | restart`` - defines the action to take +* ``close-action = none | clear | trap | start`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids. -- cgit v1.2.3 From f5b79621d0c841ee9a596543a05ad1acc9130c1d Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Fri, 19 Jan 2024 13:38:40 +0200 Subject: Changed IPv6 pool documentation in accel-ppp services Changed IPv6 pool documentation in accel-ppp services to named IPv6 pools. https://vyos.dev/T5865 --- docs/configuration/service/ipoe-server.rst | 10 ++++++---- docs/configuration/service/pppoe-server.rst | 25 +++++++++++++++++-------- docs/configuration/vpn/sstp.rst | 12 +++++++++--- 3 files changed, 32 insertions(+), 15 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index c219a063..ed4ade1a 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -72,8 +72,9 @@ IPv6 DNS addresses are optional. set service ipoe-server authentication interface eth3 mac 08:00:27:2F:D8:06 set service ipoe-server authentication mode 'local' - set service ipoe-server client-ipv6-pool delegate '2001:db8:1::/48' delegation-prefix '56' - set service ipoe-server client-ipv6-pool prefix '2001:db8::/48' mask '64' + set service ipoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:1::/48' delegation-prefix '56' + set service ipoe-server client-ipv6-pool IPv6-POOL prefix '2001:db8::/48' mask '64' + set service ipoe-server default-ipv6-pool IPv6-POOL set service ipoe-server name-server '2001:db8::' set service ipoe-server name-server '2001:db8:aaa::' set service ipoe-server name-server '2001:db8:bbb::' @@ -171,8 +172,9 @@ Server configuration set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000' set service ipoe-server authentication mode 'local' - set service ipoe-server client-ipv6-pool delegate 2001:db8:ffff::/48 delegation-prefix '56' - set service ipoe-server client-ipv6-pool prefix 2001:db8:fffe::/48 mask '64' + set service ipoe-server client-ipv6-pool IPv6-POOL delegate 2001:db8:ffff::/48 delegation-prefix '56' + set service ipoe-server client-ipv6-pool IPv6-POOL prefix 2001:db8:fffe::/48 mask '64' + set service ipoe-server default-ipv6-pool IPv6-POOL set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24' set service ipoe-server interface eth1.50 mode 'l2' set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24' diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index a230d9fe..56fcb968 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -266,11 +266,11 @@ other servers. Last command says that this PPPoE server can serve only IPv6 ---- -IPv6 client's prefix assignment -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +IPv6 client's prefix +^^^^^^^^^^^^^^^^^^^^ -.. cfgcmd:: set service pppoe-server client-ipv6-pool prefix
- mask +.. cfgcmd:: set service pppoe-server client-ipv6-pool + prefix
mask Use this comand to set the IPv6 address pool from which a PPPoE client will get an IPv6 prefix of your defined length (mask) to @@ -281,8 +281,8 @@ IPv6 client's prefix assignment IPv6 Prefix Delegation ^^^^^^^^^^^^^^^^^^^^^^ -.. cfgcmd:: set service pppoe-server client-ipv6-pool delegate
- delegation-prefix +.. cfgcmd:: set service pppoe-server client-ipv6-pool + delegate
delegation-prefix Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You will have to set your IPv6 pool and the length of the delegation @@ -291,6 +291,14 @@ IPv6 Prefix Delegation delegation prefix can be set from 32 to 64 bit long. +IPv6 default client's pool assignment +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. cfgcmd:: set service pppoe-server default-ipv6-pool + + Use this command to define default IPv6 address pool name. + + Maintenance mode ================ @@ -374,8 +382,9 @@ The example below covers a dual-stack configuration via pppoe-server. set service pppoe-server authentication mode 'local' set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24' set service pppoe-server default-pool 'IP-POOL' - set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56' - set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server default-ipv6-pool IPv6-POOL set service pppoe-server ppp-options ipv6 allow set service pppoe-server name-server '10.1.1.1' set service pppoe-server name-server '2001:db8:4860::8888' diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index d9bb4353..2c5cef6d 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -132,7 +132,8 @@ Configuration Use this command to define default address pool name. -.. cfgcmd:: set vpn sstp client-ipv6-pool prefix
mask +.. cfgcmd:: set vpn sstp client-ipv6-pool prefix
+ mask Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the @@ -140,8 +141,8 @@ Configuration bit long, the default value is 64. -.. cfgcmd:: set vpn sstp client-ipv6-pool delegate
delegation-prefix - +.. cfgcmd:: set vpn sstp client-ipv6-pool delegate
+ delegation-prefix Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the @@ -150,6 +151,11 @@ Configuration delegation prefix can be set from 32 to 64 bit long. +.. cfgcmd:: set vpn sstp default-ipv6-pool + + Use this command to define default IPv6 address pool name. + + .. cfgcmd:: set vpn sstp name-server
Connected client should use `
` as their DNS server. This -- cgit v1.2.3 From adf7e91c5dfe7020d0df48aa93c62abcd8ca482d Mon Sep 17 00:00:00 2001 From: James Simpson <10970100+jsimpso@users.noreply.github.com> Date: Sun, 21 Jan 2024 18:28:36 +0800 Subject: minor wording fixes / adjustments --- docs/configuration/firewall/index.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 74d5bc20..5d9190d6 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -66,10 +66,10 @@ packetis processed at the **IP Layer**: can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through - **inputt** (for example response to an ssh login attempt to the router). + **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in: - * ``set firewall ipv4 input filter ...``. + * ``set firewall ipv4 output filter ...``. * ``set firewall ipv6 output filter ...``. @@ -81,7 +81,7 @@ packetis processed at the **IP Layer**: destination...``. If the interface where the packet was received is part of a bridge, then -packetis processed at the **Bridge Layer**, which contains a basic setup for +the packet is processed at the **Bridge Layer**, which contains a basic setup for bridge filtering: * **Forward (Bridge)**: stage where traffic that is trespasing through the @@ -89,7 +89,7 @@ bridge filtering: * ``set firewall bridge forward filter ...``. -The main structure VyOS firewall cli is shown next: +The main structure of the VyOS firewall CLI is shown next: .. code-block:: none -- cgit v1.2.3 From 2443622964b476bfbcf88b05322fd27b55406fad Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 21 Jan 2024 20:48:33 +0100 Subject: ntp: T5692: add support to configure leap second behavior --- docs/configuration/service/ntp.rst | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) (limited to 'docs/configuration') diff --git a/docs/configuration/service/ntp.rst b/docs/configuration/service/ntp.rst index 08be047c..e7ee392b 100644 --- a/docs/configuration/service/ntp.rst +++ b/docs/configuration/service/ntp.rst @@ -81,4 +81,33 @@ Configuration .. cfgcmd:: set service ntp vrf - Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. + Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. + +.. cfgcmd:: set service ntp leap-second [ignore|smear|system|timezone] + + Define how to handle leaf-seonds. + + * `ignore`: No correction is applied to the clock for the leap second. The + clock will be corrected later in normal operation when new measurements are + made and the estimated offset includes the one second error. + + * `smear`: When smearing a leap second, the leap status is suppressed on the + server and the served time is corrected slowly by slewing instead of + stepping. The clients do not need any special configuration as they do not + know there is any leap second and they follow the server time which + eventually brings them back to UTC. Care must be taken to ensure they use + only NTP servers which smear the leap second in exactly the same way for + synchronisation. + + * `system`: When inserting a leap second, the kernel steps the system clock + backwards by one second when the clock gets to 00:00:00 UTC. When deleting + a leap second, it steps forward by one second when the clock gets to + 23:59:59 UTC. + + * `timezone`: This directive specifies a timezone in the system timezone + database which chronyd can use to determine when will the next leap second + occur and what is the current offset between TAI and UTC. It will + periodically check if 23:59:59 and 23:59:60 are valid times in the + timezone. This normally works with the right/UTC timezone which is the + default + -- cgit v1.2.3 From 57cdbe065b89ec38a779ddb7530cda3ac240caf2 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 23 Jan 2024 06:57:42 -0300 Subject: Adding first documentation regarding IDS and FastNetMon. Also a brief configuration example is provided. --- docs/configuration/service/ids.rst | 179 +++++++++++++++++++++++++++++++++++ docs/configuration/service/index.rst | 4 +- 2 files changed, 182 insertions(+), 1 deletion(-) create mode 100644 docs/configuration/service/ids.rst (limited to 'docs/configuration') diff --git a/docs/configuration/service/ids.rst b/docs/configuration/service/ids.rst new file mode 100644 index 00000000..3e508d50 --- /dev/null +++ b/docs/configuration/service/ids.rst @@ -0,0 +1,179 @@ +.. _ids: + +############### +DDoS Protection +############### + +********** +FastNetMon +********** + +FastNetMon is a high-performance DDoS detector/sensor built on top of multiple +packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror). It can +detect hosts in the deployed network sending or receiving large volumes of +traffic, packets/bytes/flows per second and perform a configurable action to +handle that event, such as calling a custom script. + +VyOS includes the FastNetMon Community Edition. + +Configuration +============= + +.. cfgcmd:: set service ids ddos-protection alert-script + + Configure alert script that will be executed when an attack is detected. + +.. cfgcmd:: set service ids ddos-protection ban-time <1-4294967294> + + Configure how long an IP (attacker) should be kept in blocked state. + Default value is 1900. + +.. cfgcmd:: set service ids ddos-protection direction [in | out] + + Configure direction for processing traffic. + +.. cfgcmd:: set service ids ddos-protection exclude-network +.. cfgcmd:: set service ids ddos-protection exlude-network + + Specify IPv4 and/or IPv6 networks which are going to be excluded. + +.. cfgcmd:: set service ids ddos-protection listen-interface + + Configure listen interface for mirroring traffic. + +.. cfgcmd:: set service ids ddos-protection mode [mirror | sflow] + + Configure traffic capture mode. + +.. cfgcmd:: set service ids ddos-protection network +.. cfgcmd:: set service ids ddos-protection network + + Specify IPv4 and/or IPv6 networks that should be protected/monitored. + +.. cfgcmd:: set service ids ddos-protection sflow listen-address + + Configure local IPv4 address to listen for sflow. + +.. cfgcmd:: set service ids ddos-protection sflow port <1-65535> + + Configure port number to be used for sflow conection. Default port is 6343. + +.. cfgcmd:: set service ids ddos-protection threshold general + [fps | mbps | pps] <0-4294967294> + + Configure general threshold parameters. + +.. cfgcmd:: set service ids ddos-protection threshold icmp + [fps | mbps | pps] <0-4294967294> + + Configure ICMP threshold parameters. + +.. cfgcmd:: set service ids ddos-protection threshold tcp + [fps | mbps | pps] <0-4294967294> + + Configure TCP threshold parameters + +.. cfgcmd:: set service ids ddos-protection threshold udp + [fps | mbps | pps] <0-4294967294> + + Configure UDP threshold parameters + +Example +======= + +A configuration example can be found in this section. +In this simplified scenario, main things to be considered are: + + * Network to be protected: 192.0.2.0/24 (public IPs use by + customers) + + * **ban-time** and **threshold**: these values are kept very low in order + to easily identify and generate and attack. + + * Direction: **in** and **out**. Protect public network from external + attacks, and identify internal attacks towards internet. + + * Interface **eth0** used to connect to upstream. + +Since we are analyzing attacks to and from our internal network, two types +of attacks can be identified, and differents actions are needed: + + * External attack: an attack from the internet towards an internal IP + is identify. In this case, all connections towards such IP will be + blocked + + * Internal attack: an attack from the internal network (generated by a + customer) towards the internet is identify. In this case, all connections + from this particular IP/Customer will be blocked. + + +So, firewall configuration needed for this setup: + +.. code-block:: none + + set firewall group address-group FNMS-DST-Block + set firewall group address-group FNMS-SRC-Block + + set firewall ipv4 forward filter rule 10 action 'drop' + set firewall ipv4 forward filter rule 10 description 'FNMS - block destination' + set firewall ipv4 forward filter rule 10 destination group address-group 'FNMS-DST-Block' + + set firewall ipv4 forward filter rule 20 action 'drop' + set firewall ipv4 forward filter rule 20 description 'FNMS - Block source' + set firewall ipv4 forward filter rule 20 source group address-group 'FNMS-SRC-Block' + +Then, FastNetMon configuration: + +.. code-block:: none + + set service ids ddos-protection alert-script '/config/scripts/fnm-alert.sh' + set service ids ddos-protection ban-time '10' + set service ids ddos-protection direction 'in' + set service ids ddos-protection direction 'out' + set service ids ddos-protection listen-interface 'eth0' + set service ids ddos-protection mode 'mirror' + set service ids ddos-protection network '192.0.2.0/24' + set service ids ddos-protection threshold general pps '100' + +And content of the script: + +.. code-block:: none + + #!/bin/bash + + # alert-script is called twice. + # When an attack occurs, the program calls a bash script twice: + # 1st time when threshold exceed + # 2nd when we collect 100 packets for detailed audit of what happened. + + # Do nothing if “attack_details” is passed as an argument + if [ "${4}" == "attack_details" ]; then + # Do nothing + exit + fi + # Arguments: + ip=$1 + direction=$2 + pps_rate=$3 + action=$4 + + logger -t FNMS "** Start - Running alert script **" + + if [ "${direction}" == "incoming" ] ; then + group="FNMS-DST-Block" + origin="external" + else + group="FNMS-SRC-Block" + origin="internal" + fi + + if [ "${action}" == "ban" ] ; then + logger -t FNMS "Attack detected for IP ${ip} and ${direction} direction from ${origin} network. Need to block IP address." + logger -t FNMS "Adding IP address ${ip} to firewall group ${group}." + sudo nft add element ip vyos_filter A_${group} { ${ip} } + else + logger -t FNMS "Timeout for IP ${ip}, removing it from group ${group}." + sudo nft delete element ip vyos_filter A_${group} { ${ip} } + fi + logger -t FNMS "** End - Running alert script **" + exit diff --git a/docs/configuration/service/index.rst b/docs/configuration/service/index.rst index 1195348f..56ce55eb 100644 --- a/docs/configuration/service/index.rst +++ b/docs/configuration/service/index.rst @@ -13,7 +13,9 @@ Service dhcp-relay dhcp-server dns + eventhandler https + ids ipoe-server lldp mdns @@ -26,4 +28,4 @@ Service ssh tftp-server webproxy - eventhandler + -- cgit v1.2.3 From c1716052eba00ad6c612755f55015e840e946828 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 23 Jan 2024 12:56:57 +0100 Subject: bfd: T5967: add minimum-ttl option --- docs/configuration/protocols/bfd.rst | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/protocols/bfd.rst b/docs/configuration/protocols/bfd.rst index 496c0cf9..30876efc 100644 --- a/docs/configuration/protocols/bfd.rst +++ b/docs/configuration/protocols/bfd.rst @@ -56,6 +56,13 @@ Configure BFD Disable a BFD peer +.. cfgcmd:: set protocols bfd peer
minimum-ttl <1-254> + + For multi hop sessions only. Configure the minimum expected TTL for an + incoming BFD control packet. + + This feature serves the purpose of thightening the packet validation + requirements to avoid receiving BFD control packets from other sessions. Enable BFD in BGP ----------------- -- cgit v1.2.3 From ce0b62678f791a18dcc58defc209fbe71b868fca Mon Sep 17 00:00:00 2001 From: khramshinr Date: Tue, 30 Jan 2024 21:02:23 +0700 Subject: dns forwarding: T5687: Implement ECS settings for PowerDNS recursor --- docs/configuration/service/dns.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index 7624d309..e430dc73 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -156,6 +156,20 @@ avoid being tracked by the provider of your upstream DNS server. recursor does not like, it is throttled. Any servers matching the supplied netmasks will never be throttled. +.. cfgcmd:: set service dns forwarding options ecs-add-for
+ + The requestor netmask for which the requestor IP Address should be used as the + EDNS Client Subnet for outgoing queries. + +.. cfgcmd:: set service dns forwarding options ecs-ipv4-bits + + Number of bits of client IPv4 address to pass when sending EDNS Client Subnet + address information. + +.. cfgcmd:: set service dns forwarding options edns-subnet-allow-list + + The netmask or domain that EDNS Client Subnet should be enabled for in outgoing queries. + Example ======= -- cgit v1.2.3 From 7ec9d4259de54247dc81d96ef63fc1877fdb94b4 Mon Sep 17 00:00:00 2001 From: Piotr Maksymiuk Date: Fri, 2 Feb 2024 10:41:51 +0100 Subject: container: T5955: set uid/gid for container --- docs/configuration/container/index.rst | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index 0487f863..670ca29f 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -93,6 +93,11 @@ Configuration Volume is either mounted as rw (read-write - default) or ro (read-only) +.. cfgcmd:: set container name uid +.. cfgcmd:: set container name gid + + Set the User ID or Group ID of the container + .. cfgcmd:: set container name restart [no | on-failure | always] Set the restart behavior of the container. -- cgit v1.2.3 From 38e13fbab0560758baf3d676657254a490890376 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 2 Feb 2024 20:19:30 +0100 Subject: T5979: add configurable kernel boot option 'disable-mitigations' --- docs/configuration/system/option.rst | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index c9c9bfb1..4a1c3bd3 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -22,6 +22,14 @@ General Play an audible beep to the system speaker when system is ready. +Kernel +====== + +.. cfgcmd:: set system option kernel disable-mitigations + + Disable all optional CPU mitigations. This improves system performance, + but it may also expose users to several CPU vulnerabilities. + *********** HTTP client *********** -- cgit v1.2.3 From dd3537443d71b8a5481ad0e8fb1a8e4edd0ecb71 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Thu, 25 Jan 2024 16:13:49 +0200 Subject: T5971: Added PPP options documentation Added PPP options documentation --- docs/configuration/vpn/l2tp.rst | 2 +- docs/configuration/vpn/sstp.rst | 71 ++++++++++++++++++++++++++++++++++++++--- 2 files changed, 68 insertions(+), 5 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index 4a7657e7..ce3b6711 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -98,7 +98,7 @@ Below is an example to configure a LNS: set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 set vpn l2tp remote-access default-pool 'L2TP-POOL' set vpn l2tp remote-access lns shared-secret 'secret' - set vpn l2tp remote-access ccp-disable + set vpn l2tp remote-access ppp-options disable-ccp set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username test password 'test' diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index 2c5cef6d..a9def827 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -179,35 +179,98 @@ SSL Certificates PPP Settings ------------ +.. cfgcmd:: set vpn sstp ppp-options disable-ccp + + Disable Compression Control Protocol (CCP). + CCP is enabled by default. + +.. cfgcmd:: set vpn sstp ppp-options interface-cache + + Specifies number of interfaces to keep in cache. It means that don’t + destroy interface after corresponding session is destroyed, instead + place it to cache and use it later for new sessions repeatedly. + This should reduce kernel-level interface creation/deletion rate lack. + Default value is **0**. + +.. cfgcmd:: set vpn sstp ppp-options ipv4 + + Specifies IPv4 negotiation preference. + + * **require** - Require IPv4 negotiation + * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv4 only if client requests (Default value) + * **deny** - Do not negotiate IPv4 + +.. cfgcmd:: set vpn sstp ppp-options ipv6 + + Specifies IPv6 negotiation preference. + + * **require** - Require IPv6 negotiation + * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects + * **allow** - Negotiate IPv6 only if client requests + * **deny** - Do not negotiate IPv6 (default value) + +.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id + + Accept peer interface identifier. By default is not defined. + +.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id + + Specifies fixed or random interface identifier for IPv6. + By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + +.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id + + Specifies peer interface identifier for IPv6. By default is fixed. + + * **random** - Random interface identifier for IPv6 + * **x:x:x:x** - Specify interface identifier for IPv6 + * **ipv4-addr** - Calculate interface identifier from IPv4 address. + * **calling-sid** - Calculate interface identifier from calling-station-id. + .. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure Defines the maximum `` of unanswered echo requests. Upon reaching the - value ``, the session will be reset. + value ``, the session will be reset. Default value is **3**. .. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every `` seconds. + Default value is **30**. .. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" - is not used. + is not used. Default value is **0**. + +.. cfgcmd:: set vpn sstp ppp-options min-mtu + + Defines minimum acceptable MTU. If client will try to negotiate less then + specified MTU then it will be NAKed or disconnected if rejects greater MTU. + Default value is **100**. .. cfgcmd:: set vpn sstp ppp-options mppe - Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation + Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation preference. * **require** - ask client for mppe, if it rejects drop connection - * **prefer** - ask client for mppe, if it rejects don't fail + * **prefer** - ask client for mppe, if it rejects don't fail. (Default value) * **deny** - deny mppe Default behavior - don't ask client for mppe, but allow it if client wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy attribute. +.. cfgcmd:: set vpn sstp ppp-options mru + + Defines preferred MRU. By default is not defined. + RADIUS ------ -- cgit v1.2.3 From 64d4513bc06a4ba610221442ba7e590470beb86d Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 7 Feb 2024 21:13:09 +0100 Subject: bgp: T6024: add additional missing FRR features --- docs/configuration/protocols/bgp.rst | 50 ++++++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 14 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 8fc69111..3c983aae 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -209,35 +209,35 @@ Defining Peers .. cfgcmd:: set protocols bgp neighbor local-role [strict] - BGP roles are defined in RFC :rfc:`9234` and provide an easy way to - add route leak prevention, detection and mitigation. The local Role - value is negotiated with the new BGP Role capability which has a - built-in check of the corresponding value. In case of a mismatch the + BGP roles are defined in RFC :rfc:`9234` and provide an easy way to + add route leak prevention, detection and mitigation. The local Role + value is negotiated with the new BGP Role capability which has a + built-in check of the corresponding value. In case of a mismatch the new OPEN Roles Mismatch Notification <2, 11> would be sent. The correct Role pairs are: - + Provider - Customer Peer - Peer RS-Server - RS-Client - If :cfgcmd:`strict` is set the BGP session won’t become established - until the BGP neighbor sets local Role on its side. This + If :cfgcmd:`strict` is set the BGP session won’t become established + until the BGP neighbor sets local Role on its side. This configuration parameter is defined in RFC :rfc:`9234` and is used to enforce the corresponding configuration at your counter-parts side. - - Routes that are sent from provider, rs-server, or the peer local-role - (or if received by customer, rs-client, or the peer local-role) will + + Routes that are sent from provider, rs-server, or the peer local-role + (or if received by customer, rs-client, or the peer local-role) will be marked with a new Only to Customer (OTC) attribute. - + Routes with this attribute can only be sent to your neighbor if your local-role is provider or rs-server. Routes with this attribute can - be received only if your local-role is customer or rs-client. - + be received only if your local-role is customer or rs-client. + In case of peer-peer relationship routes can be received only if OTC value is equal to your neighbor AS number. - + All these rules with OTC will help to detect and mitigate route leaks and happen automatically if local-role is set. @@ -584,6 +584,12 @@ General Configuration Common parameters ^^^^^^^^^^^^^^^^^ +.. cfgcmd:: set protocols bgp parameters allow-martian-nexthop + + When a peer receives a martian nexthop as part of the NLRI for a route + permit the nexthop to be used as such, instead of rejecting and resetting + the connection. + .. cfgcmd:: set protocols bgp parameters router-id This command specifies the router-ID. If router ID is not specified it will @@ -598,6 +604,12 @@ Common parameters Path (both AS number and AS path length), Origin code, MED, IGP metric. Also, the next hop address for each path must be different. +.. cfgcmd:: set protocols bgp parameters no-hard-administrative-reset + + Do not send Hard Reset CEASE Notification for "Administrative Reset" + events. When set and Graceful Restart Notification capability is exchanged + between the peers, Graceful Restart procedures apply, and routes will be retained. + .. cfgcmd:: set protocols bgp parameters log-neighbor-changes This command enable logging neighbor up/down changes and reset reason. @@ -643,6 +655,16 @@ Common parameters compatibility with older versions of VyOS. With this option one can enable :rfc:`8212` functionality to operate. +.. cfgcmd:: set protocols bgp parameters labeled-unicast + + By default, locally advertised prefixes use the implicit-null label to + encode in the outgoing NLRI. + + The following command uses the explicit-null label value for all the + BGP instances. + + Administrative Distance ^^^^^^^^^^^^^^^^^^^^^^^ -- cgit v1.2.3 From 6b8c81855959b0b3c9e12530eecd9ba6ca25ad8e Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 7 Feb 2024 21:17:56 +0100 Subject: rpki: T6023: add support for CLI knobs expire-interval and retry-interval --- docs/configuration/protocols/rpki.rst | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/protocols/rpki.rst b/docs/configuration/protocols/rpki.rst index 827bfe1a..aeb2941b 100644 --- a/docs/configuration/protocols/rpki.rst +++ b/docs/configuration/protocols/rpki.rst @@ -30,8 +30,8 @@ in :rfc:`8210`. If you are new to these routing security technologies then there is an `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed very quickly. Their documentation explains everything from what RPKI is to - deploying it in production. It also has some - `help and operational guidance`_ including "What can I do about my route + deploying it in production. It also has some + `help and operational guidance`_ including "What can I do about my route having an Invalid state?" *************** @@ -109,6 +109,20 @@ Configuration The default value is 300 seconds. +.. cfgcmd:: set protocols rpki expire-interval <600-172800> + + Set the number of seconds the router waits until the router + expires the cache. + + The default value is 7200 seconds. + +.. cfgcmd:: set protocols rpki retry-interval <1-7200> + + Set the number of seconds the router waits until retrying to connect + to the cache server. + + The default value is 600 seconds. + .. cfgcmd:: set protocols rpki cache
port Defined the IPv4, IPv6 or FQDN and port number of the caching RPKI caching @@ -136,10 +150,6 @@ the connection. SSH username to establish an SSH connection to the cache server. -.. cfgcmd:: set protocols rpki cache
ssh known-hosts-file - - Local path that includes the known hosts file. - .. cfgcmd:: set protocols rpki cache
ssh private-key-file Local path that includes the private key file of the router. @@ -148,7 +158,7 @@ the connection. Local path that includes the public key file of the router. -.. note:: When using SSH, known-hosts-file, private-key-file and public-key-file +.. note:: When using SSH, private-key-file and public-key-file are mandatory options. ******* -- cgit v1.2.3 From c857be8ce1474b56711db76170ab7494771c2202 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 10 Feb 2024 10:01:44 +0100 Subject: srv6: T5849: add segment support to "protocols static route6" --- docs/configuration/protocols/static.rst | 35 ++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) (limited to 'docs/configuration') diff --git a/docs/configuration/protocols/static.rst b/docs/configuration/protocols/static.rst index 1ad252e7..bfc25201 100644 --- a/docs/configuration/protocols/static.rst +++ b/docs/configuration/protocols/static.rst @@ -59,6 +59,29 @@ Static Routes .. note:: Routes with a distance of 255 are effectively disabled and not installed into the kernel. +.. cfgcmd:: set protocols static route6 next-hop
segments + + It is possible to specify a static route for ipv6 prefixes using an SRv6 segments + instruction. The `/` separator can be used to specify multiple segment instructions. + + Example: + + .. code-block:: none + + set protocols static route6 2001:db8:1000::/36 next-hop 2001:db8:201::ffff segments '2001:db8:aaaa::7/2002::4/2002::3/2002::2' + + .. code-block:: none + + vyos@vyos:~$ show ipv6 route + Codes: K - kernel route, C - connected, S - static, R - RIPng, + O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table, + v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + C>* 2001:db8:201::/64 is directly connected, eth0.201, 00:00:46 + S>* 2001:db8:1000::/36 [1/0] via 2001:db8:201::ffff, eth0.201, seg6 2001:db8:aaaa::7,2002::4,2002::3,2002::2, weight 1, 00:00:08 + Interface Routes ================ @@ -103,6 +126,17 @@ Interface Routes Range is 1 to 255, default is 1. +.. cfgcmd:: set protocols static route6 interface + segments + + It is possible to specify a static route for ipv6 prefixes using an SRv6 segments + instruction. The `/` separator can be used to specify multiple segment instructions. + + Example: + + .. code-block:: none + + set protocols static route6 2001:db8:1000::/36 interface eth0 segments '2001:db8:aaaa::7/2002::4/2002::3/2002::2' Blackhole ========= @@ -133,7 +167,6 @@ Blackhole Defines blackhole distance for this route, routes with smaller administrative distance are elected prior to those with a higher distance. - Alternate Routing Tables ======================== -- cgit v1.2.3 From 25b9e5f1ff2aaffb40a03b2c6e20327e39c41eba Mon Sep 17 00:00:00 2001 From: khramshinr Date: Mon, 12 Feb 2024 19:12:01 +0700 Subject: T6020:vrrp health-check script not applied correctly in keepalived.conf New path was added to sync-group config tree --- docs/configuration/highavailability/index.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 7f06faa8..9158ac1d 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -318,6 +318,16 @@ times: set high-availability vrrp group Foo health-check interval 60 set high-availability vrrp group Foo health-check failure-count 3 +When the vrrp group is a member of the sync group will use only +the sync group health check script. +This example shows how to configure it for the sync group: + +.. code-block:: none + + set high-availability vrrp sync-group Bar health-check script /config/scripts/vrrp-check.sh + set high-availability vrrp sync-group Bar health-check interval 60 + set high-availability vrrp sync-group Bar health-check failure-count 3 + Transition scripts ^^^^^^^^^^^^^^^^^^ -- cgit v1.2.3 From c9c5ac5cc8f74f2f20d72cd42a4d84e7d280e407 Mon Sep 17 00:00:00 2001 From: cfouche <51720655+cfouche3005@users.noreply.github.com> Date: Wed, 14 Feb 2024 20:02:11 +0100 Subject: fix a forgotten "set" --- docs/configuration/container/index.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/configuration') diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index 670ca29f..adccd92b 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -117,7 +117,7 @@ Configuration Add a host device to the container. -.. cfgcmd:: container name cap-add +.. cfgcmd:: set container name cap-add Set container capabilities or permissions. -- cgit v1.2.3 From e50b510c0c5c980047bd77775a0c4d763aaa838b Mon Sep 17 00:00:00 2001 From: rebortg Date: Wed, 14 Feb 2024 21:37:56 +0100 Subject: Added information related to root-partition-auto-resize --- docs/configuration/system/option.rst | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index 4a1c3bd3..788765f0 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -22,6 +22,11 @@ General Play an audible beep to the system speaker when system is ready. +.. cfgcmd:: set system option root-partition-auto-resize + + Enables the root partition auto-extension and resizes to the maximum + available space on system boot. + Kernel ====== -- cgit v1.2.3 From 7a6cc0cf0ff081b4367c212821c7bf125bbb7427 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 16 Feb 2024 08:51:52 +0100 Subject: T6001: add option to disable next-hop-tracking resolve-via-default --- docs/configuration/system/ip.rst | 13 +++++++++++++ docs/configuration/system/ipv6.rst | 13 +++++++++++++ 2 files changed, 26 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/system/ip.rst b/docs/configuration/system/ip.rst index 0f45b7ca..279630e2 100644 --- a/docs/configuration/system/ip.rst +++ b/docs/configuration/system/ip.rst @@ -43,6 +43,19 @@ can be used to filter which routes zebra will install in the kernel. .. note:: If you choose any as the option that will cause all protocols that are sending routes to zebra. +Nexthop Tracking +^^^^^^^^^^^^^^^^ + +Nexthop tracking resolve nexthops via the default route by default. This is enabled +by default for a traditional profile of FRR which we use. It and can be disabled if +you do not wan't to e.g. allow BGP to peer across the default route. + +.. cfgcmd:: set system ip nht no-resolve-via-default + + Do not allow IPv4 nexthop tracking to resolve via the default route. This + parameter is configured per-VRF, so the command is also available in the VRF + subnode. + Operational commands -------------------- diff --git a/docs/configuration/system/ipv6.rst b/docs/configuration/system/ipv6.rst index c7308f9d..d8d3c4c9 100644 --- a/docs/configuration/system/ipv6.rst +++ b/docs/configuration/system/ipv6.rst @@ -39,6 +39,19 @@ can be used to filter which routes zebra will install in the kernel. .. note:: If you choose any as the option that will cause all protocols that are sending routes to zebra. +Nexthop Tracking +^^^^^^^^^^^^^^^^ + +Nexthop tracking resolve nexthops via the default route by default. This is enabled +by default for a traditional profile of FRR which we use. It and can be disabled if +you do not wan't to e.g. allow BGP to peer across the default route. + +.. cfgcmd:: set system ipv6 nht no-resolve-via-default + + Do not allow IPv6 nexthop tracking to resolve via the default route. This + parameter is configured per-VRF, so the command is also available in the VRF + subnode. + Operational commands -------------------- -- cgit v1.2.3 From abaf9814502b931fa81b4af9b3953880825b57f4 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 16 Feb 2024 08:52:05 +0100 Subject: T6001: add option to disable next-hop-tracking resolve-via-default in VRF context --- docs/configuration/vrf/index.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index bd482cd9..67eba886 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -67,6 +67,25 @@ can be used to filter which routes zebra will install in the kernel. .. note:: If you choose any as the option that will cause all protocols that are sending routes to zebra. +Nexthop Tracking +---------------- + +Nexthop tracking resolve nexthops via the default route by default. This is enabled +by default for a traditional profile of FRR which we use. It and can be disabled if +you do not wan't to e.g. allow BGP to peer across the default route. + +.. cfgcmd:: set vrf name ip nht no-resolve-via-default + + Do not allow IPv4 nexthop tracking to resolve via the default route. This + parameter is configured per-VRF, so the command is also available in the VRF + subnode. + +.. cfgcmd:: set vrf name ipv6 nht no-resolve-via-default + + Do not allow IPv4 nexthop tracking to resolve via the default route. This + parameter is configured per-VRF, so the command is also available in the VRF + subnode. + Interfaces ---------- -- cgit v1.2.3 From e6b534942b8eaedfc3a6290f97d0040e61179b79 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 16 Feb 2024 14:33:15 +0100 Subject: login: T5972: add possibility to disable individual local user accounts --- docs/configuration/system/login.rst | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index 98e05cdd..09e27c53 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -34,6 +34,10 @@ Local Setup encrypted password for given username. This is useful for transferring a hashed password from system to system. +.. cfgcmd:: set system login user disable + + Disable (lock) account. User will not be able to log in. + .. _ssh_key_based_authentication: Key Based Authentication -- cgit v1.2.3 From e93c4723c7667864867cfbffb74c7239cbee9e6c Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Tue, 20 Feb 2024 12:05:12 -0500 Subject: Op-mode:Added information about import to pki functionality --- docs/configuration/pki/index.rst | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index 1fea13ac..a42e286e 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -118,12 +118,12 @@ OpenVPN .. opcmd:: generate pki openvpn shared-secret - Genearate a new OpenVPN shared secret. The generated secred is the output to + Genearate a new OpenVPN shared secret. The generated secret is the output to the console. .. opcmd:: generate pki openvpn shared-secret install - Genearate a new OpenVPN shared secret. The generated secred is the output to + Genearate a new OpenVPN shared secret. The generated secret is the output to the console. .. include:: pki_cli_import_help.txt @@ -248,6 +248,35 @@ certificates used by services on this router. If CA is present, this certificate will be included in generated CRLs +Import files to PKI format +-------------------------- +VyOS provides this utility to import existing certificates/key files directly +into PKI from op-mode. Previous to VyOS 1.4, certificates were stored under the +/config folder permanently and will be retained post upgrade. + +.. opcmd:: import pki ca file + + Import the public CA certificate from the defined file to VyOS CLI. + +.. opcmd:: import pki ca key-file + + Import the CAs private key portion to the CLI. This should never leave the + system as it is used to decrypt the data. The key is required if you use + VyOS as your certificate generator. + +.. opcmd:: import pki certificate file + + Import the certificate from the file to VyOS CLI. + +.. opcmd:: import pki certificate key-file + + Import the private key of the certificate to the VyOS CLI. This should never + leave the system as it is used to decrypt the data. + +.. opcmd:: import pki openvpn shared-secret file + + Import the OpenVPN shared secret stored in file to the VyOS CLI. + ACME ^^^^ -- cgit v1.2.3 From 4dd84a7c4d784229209eeb4b0d72457b094e08ce Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Wed, 21 Feb 2024 16:57:34 +0200 Subject: Rewritten the L2TP documentation Rewritten the L2TP documentation Added the example 'PPPoE over L2TP' to blueprints --- docs/_static/images/lac-lns-diagram.jpg | Bin 0 -> 35665 bytes docs/_static/images/lac-lns-winclient.jpg | Bin 0 -> 90842 bytes docs/configexamples/index.rst | 1 + docs/configexamples/lac-lns.rst | 169 +++++++++ docs/configuration/vpn/l2tp.rst | 551 ++++++++++++++++++++++++------ 5 files changed, 616 insertions(+), 105 deletions(-) create mode 100644 docs/_static/images/lac-lns-diagram.jpg create mode 100644 docs/_static/images/lac-lns-winclient.jpg create mode 100644 docs/configexamples/lac-lns.rst (limited to 'docs/configuration') diff --git a/docs/_static/images/lac-lns-diagram.jpg b/docs/_static/images/lac-lns-diagram.jpg new file mode 100644 index 00000000..4463a3c3 Binary files /dev/null and b/docs/_static/images/lac-lns-diagram.jpg differ diff --git a/docs/_static/images/lac-lns-winclient.jpg b/docs/_static/images/lac-lns-winclient.jpg new file mode 100644 index 00000000..9fa99152 Binary files /dev/null and b/docs/_static/images/lac-lns-winclient.jpg differ diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index 7134e14c..d5973eb2 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -17,6 +17,7 @@ This chapter contains various configuration examples: wan-load-balancing pppoe-ipv6-basic l3vpn-hub-and-spoke + lac-lns inter-vrf-routing-vrf-lite qos segment-routing-isis diff --git a/docs/configexamples/lac-lns.rst b/docs/configexamples/lac-lns.rst new file mode 100644 index 00000000..b246c4d3 --- /dev/null +++ b/docs/configexamples/lac-lns.rst @@ -0,0 +1,169 @@ +:lastproofread: 2024-02-21 + +.. _examples-lac-lns: + +############### +PPPoE over L2TP +############### + +This document is to describe a basic setup using PPPoE over L2TP. +LAC and LNS are components of the broadband topology. +LAC - L2TP access concentrator +LNS - L2TP Network Server +LAC and LNS forms L2TP tunnel. LAC receives packets from PPPoE clients and +forward them to LNS. LNS is the termination point that comes from PPP packets +from the remote client. + +In this example we use VyOS 1.5 as LNS and Cisco IOS as LAC. +All users with domain **vyos.io** will be tunneled to LNS via L2TP. + +Network Topology +================ + +.. image:: /_static/images/lac-lns-diagram.jpg + :width: 60% + :align: center + :alt: Network Topology Diagram + +Configurations +============== + +LAC +--- + +.. code-block:: none + + aaa new-model + ! + aaa authentication ppp default local + ! + vpdn enable + vpdn aaa attribute nas-ip-address vpdn-nas + ! + vpdn-group LAC + request-dialin + protocol l2tp + domain vyos.io + initiate-to ip 192.168.139.100 + source-ip 192.168.139.101 + local name LAC + l2tp tunnel password 0 test123 + ! + bba-group pppoe MAIN-BBA + virtual-template 1 + ! + interface GigabitEthernet0/0 + description To LNS + ip address 192.168.139.101 255.255.255.0 + duplex auto + speed auto + media-type rj45 + ! + interface GigabitEthernet0/1 + description To PPPoE clients + no ip address + duplex auto + speed auto + media-type rj45 + pppoe enable group MAIN-BBA + ! + +LNS +--- + +.. code-block:: none + + set interfaces ethernet eth0 address '192.168.139.100/24' + set nat source rule 100 outbound-interface name 'eth0' + set nat source rule 100 source address '10.0.0.0/24' + set nat source rule 100 translation address 'masquerade' + set protocols static route 0.0.0.0/0 next-hop 192.168.139.2 + set vpn l2tp remote-access authentication mode 'radius' + set vpn l2tp remote-access authentication radius server 192.168.139.110 key 'radiustest' + set vpn l2tp remote-access client-ip-pool TEST-POOL range '10.0.0.2-10.0.0.100' + set vpn l2tp remote-access default-pool 'TEST-POOL' + set vpn l2tp remote-access gateway-address '10.0.0.1' + set vpn l2tp remote-access lns host-name 'LAC' + set vpn l2tp remote-access lns shared-secret 'test123' + set vpn l2tp remote-access name-server '8.8.8.8' + set vpn l2tp remote-access ppp-options disable-ccp + +.. note:: This setup requires the Compression Control Protocol (CCP) + being disabled, the command ``set vpn l2tp remote-access ppp-options disable-ccp`` + accomplishes that. + +Client +------ + +In this lab we use Windows PPPoE client. + +.. image:: /_static/images/lac-lns-winclient.jpg + :width: 100% + :align: center + :alt: Window PPPoE Client Configuration + +Monitoring +---------- + +Monitoring on LNS side + +.. code-block:: none + + vyos@vyos:~$ show l2tp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes + --------+--------------+----------+-----+--------+-----------------+------------+--------+----------+-----------+---------- + l2tp0 | test@vyos.io | 10.0.0.2 | | | 192.168.139.101 | | active | 00:00:35 | 188.4 KiB | 9.3 MiB + +Monitoring on LAC side + +.. code-block:: none + + Router#show pppoe session + 1 session in FORWARDED (FWDED) State + 1 session total + Uniq ID PPPoE RemMAC Port VT VA State + SID LocMAC VA-st Type + 1 1 000c.290b.20a6 Gi0/1 1 N/A FWDED + 0c58.88ac.0001 + + Router#show l2tp + L2TP Tunnel and Session Information Total tunnels 1 sessions 1 + + LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/ + Count VPDN Group + 23238 2640 LAC est 192.168.139.100 1 LAC + + LocID RemID TunID Username, Intf/ State Last Chg Uniq ID + Vcid, Circuit + 25641 25822 23238 test@vyos.io, Gi0/1 est 00:05:36 1 + +Monitoring on RADIUS Server side + +.. code-block:: none + + root@Radius:~# cat /var/log/freeradius/radacct/192.168.139.100/detail-20240221 + Wed Feb 21 13:37:17 2024 + User-Name = "test@vyos.io" + NAS-Port = 0 + NAS-Port-Id = "l2tp0" + NAS-Port-Type = Virtual + Service-Type = Framed-User + Framed-Protocol = PPP + Calling-Station-Id = "192.168.139.101" + Called-Station-Id = "192.168.139.100" + Acct-Status-Type = Start + Acct-Authentic = RADIUS + Acct-Session-Id = "45c731e169d9a4f1" + Acct-Session-Time = 0 + Acct-Input-Octets = 0 + Acct-Output-Octets = 0 + Acct-Input-Packets = 0 + Acct-Output-Packets = 0 + Acct-Input-Gigawords = 0 + Acct-Output-Gigawords = 0 + Framed-IP-Address = 10.0.0.2 + NAS-IP-Address = 192.168.139.100 + Event-Timestamp = "Feb 21 2024 13:37:17 UTC" + Tmp-String-9 = "ai:" + Acct-Unique-Session-Id = "ea6a1089816f19c0d0f1819bc61c3318" + Timestamp = 1708522637 diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index ce3b6711..f0c60ec1 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -1,30 +1,80 @@ .. _l2tp: +#### L2TP ----- +#### VyOS utilizes accel-ppp_ to provide L2TP server functionality. It can be used with local authentication or a connected RADIUS server. -L2TP over IPsec -=============== - -Example for configuring a simple L2TP over IPsec VPN for remote access (works -with native Windows and Mac VPN clients): +*********************** +Configuring L2TP Server +*********************** .. code-block:: none - set vpn ipsec interface eth0 - - set vpn l2tp remote-access outside-address 192.0.2.2 + set vpn l2tp remote-access authentication mode local + set vpn l2tp remote-access authentication local-users username test password 'test' set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 set vpn l2tp remote-access default-pool 'L2TP-POOL' + set vpn l2tp remote-access outside-address 192.0.2.2 + set vpn l2tp remote-access gateway-address 192.168.255.1 + + +.. cfgcmd:: set vpn l2tp remote-access authentication mode + + Set authentication backend. The configured authentication backend is used + for all queries. + + * **radius**: All authentication queries are handled by a configured RADIUS + server. + * **local**: All authentication queries are handled locally. + +.. cfgcmd:: set vpn l2tp remote-access authentication local-users username password + + + Create `` for local authentication on this system. The users password + will be set to ``. + +.. cfgcmd:: set vpn l2tp remote-access client-ip-pool range + + Use this command to define the first IP address of a pool of + addresses to be given to l2tp clients. If notation ``x.x.x.x-x.x.x.x``, + it must be within a /24 subnet. If notation ``x.x.x.x/x`` is + used there is possibility to set host/netmask. + +.. cfgcmd:: set vpn l2tp remote-access default-pool + + Use this command to define default address pool name. + +.. cfgcmd:: set vpn l2tp remote-access gateway-address + + Specifies single `` IP address to be used as local address of PPP + interfaces. + +***************** +Configuring IPsec +***************** + +.. code-block:: none + + set vpn ipsec interface eth0 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret - set vpn l2tp remote-access authentication mode local - set vpn l2tp remote-access authentication local-users username test password 'test' -In the above example, an external IP of 192.0.2.2 is assumed. + +.. cfgcmd:: set vpn ipsec interface + + Use this command to define IPsec interface. + +.. cfgcmd:: set vpn l2tp remote-access ipsec-settings authentication mode + + Set mode for IPsec authentication between VyOS and L2TP clients. + +.. cfgcmd:: set vpn l2tp remote-access ipsec-settings authentication mode + + Set predefined shared secret phrase. + If a local firewall policy is in place on your external interface you will need to allow the ports below: @@ -64,156 +114,150 @@ To allow VPN-clients access via your external address, a NAT rule is required: set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade +********************************* +Configuring RADIUS authentication +********************************* -VPN-clients will request configuration parameters, optionally you can DNS -parameter to the client. +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. .. code-block:: none - set vpn l2tp remote-access name-server '198.51.100.8' - set vpn l2tp remote-access name-server '198.51.100.4' - -Established sessions can be viewed using the **show l2tp-server sessions** -operational command + set vpn l2tp remote-access authentication mode radius -.. code-block:: none +.. cfgcmd:: set vpn l2tp remote-access authentication radius server key - vyos@vyos:~$ show l2tp-server sessions - ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes - --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+---------- - l2tp0 | test | 192.168.255.3 | | | 192.168.0.36 | | active | 02:01:47 | 7.7 KiB | 1.2 KiB + Configure RADIUS `` and its required shared `` for + communicating with the RADIUS server. +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: +.. code-block:: none -LNS (L2TP Network Server) -========================= + set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo' + set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' -LNS are often used to connect to a LAC (L2TP Access Concentrator). +.. note:: Some RADIUS_ severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. -Below is an example to configure a LNS: +RADIUS source address +===================== -.. code-block:: none +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. - set vpn l2tp remote-access outside-address 192.0.2.2 - set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 - set vpn l2tp remote-access default-pool 'L2TP-POOL' - set vpn l2tp remote-access lns shared-secret 'secret' - set vpn l2tp remote-access ppp-options disable-ccp - set vpn l2tp remote-access authentication mode local - set vpn l2tp remote-access authentication local-users username test password 'test' +.. cfgcmd:: set vpn l2tp remote-access authentication radius source-address
-The example above uses 192.0.2.2 as external IP address. A LAC normally requires -an authentication password, which is set in the example configuration to -``lns shared-secret 'secret'``. This setup requires the Compression Control -Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access -ccp-disable`` accomplishes that. + Source IPv4 address used in all RADIUS server queires. +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best practice would be a loopback or dummy interface. -Bandwidth Shaping -================= +RADIUS advanced options +======================= -Bandwidth rate limits can be set for local users or via RADIUS based attributes. +.. cfgcmd:: set vpn l2tp remote-access authentication radius server port -Bandwidth Shaping for local users -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Configure RADIUS `` and its required port for authentication requests. -The rate-limit is set in kbit/sec. +.. cfgcmd:: set vpn l2tp remote-access authentication radius server fail-time