vyos User Guide

來源 https://wiki.vyos.net/wiki/User_Guide

?

The VyOS User Guide is focused on providing a general overview of the installation, configuration, and operation of the VyOS network operating system.

Introduction

VyOS is a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality.

The VyOS project was started in late 2013 as a community fork of the?GPL?portions of Vyatta Core 6.6R1 with the goal of maintaining a free and open source network operating system in response to the decision to discontinue the community edition of Vyatta. Here everyone loves learning, older managers and new users.

VyOS is primarily based on?Debian GNU/Linux?and the?Quagga?routing engine. Its configuration syntax and?command-line interface?are loosely derived from Juniper JUNOS as modeled by the?XORP?project (which was the original routing engine Vyatta was based upon). Vyatta changed to the Quagga routing engine for release 4.0.

Installation

The latest ISO image for VyOS can be downloaded at?www.vyos.net.

The recommended system requirements are?512MB?RAM and?2GB?storage.

The VyOS ISO is a Live CD and will boot to a functional VyOS image. To login to the system, use the default username:password of:?vyos:vyos

Linux vyatta 3.3.8-1-amd64-vyatta #1 SMP Wed Oct 30 22:54:40 CET 2013 x86_64 Welcome to VyOS. This system is open-source software. The exact distribution terms for each module comprising the full system are described in the individual files in /usr/share/doc/*/copyright. Last login: Wed Dec 11 17:33:09 2013 vyos@vyos:~$

Unlike general purpose Linux distributions, VyOS uses "image installation" that mimics the user experience of traditional hardware routers and allows you to keep multiple VyOS versions on the same machine and switch to a previous version if something breaks after upgrade. Every version is contained in its own squashfs image that is mounted in a union filesystem together with a directory for mutable data (configs etc.).

Note:?older versions used to support non-image installation ("install system" command). It's been deprecated since the time image installation was introduced (long before the fork), and does not provide any version management capabilities. You?should not?use it for new installations even if it's still available in new versions. You should not worry about older systems installed that way though, they can be upgraded with "add system image".

To install VyOS, run?install image.

vyos@vyos:~$ install image' Welcome to the VyOS install program. This script will walk you through the process of installing the VyOS image to a local hard drive. Would you like to continue? (Yes/No) [Yes]: [return] Probing drives: OK Looking for pre-existing RAID groups...none found. The VyOS image will require a minimum 1000MB root. Would you like me to try to partition a drive automatically or would you rather partition it manually with parted? If you have already setup your partitions, you may skip this step Partition (Auto/Parted/Skip) [Auto]: [return] I found the following drives on your system:sda 2147MB

?

Install the image on? [sda]: [return] This will destroy all data on /dev/sda. Continue? (Yes/No) [No]: Yes How big of a root partition should I create? (1000MB - 2147MB) [2147]MB: [return] Creating filesystem on /dev/sda1: OK Done! Mounting /dev/sda1... What would you like to name this image? [VyOS_999.hydrogen.11291501]: OK. This image will be named: VyOS_999.hydrogen.11291501 Copying squashfs image... Copying kernel and initrd images... Done! I found the following configuration files:/config/config.boot/opt/vyatta/etc/config.boot.default Which one should I copy to sda? [/config/config.boot]: [return] Copying /config/config.boot to sda. Enter password for administrator account Enter password for user 'vyos': <removed> Retype password for user 'vyos': <removed> I need to install the GRUB boot loader. I found the following drives on your system:sda 2147MB

?

Which drive should GRUB modify the boot partition on? [sda]: [return] Setting up grub: OK Done! vyos@vyos:~$

After the installation is complete, remove the Live CD and reboot the system:

vyos@vyos:~$ reboot Proceed with reboot? (Yes/No) [No] Yes vyos@vyos:~$

Using the Command-Line Interface

The VyOS CLI comprises an?operational mode?and a?configuration mode.

Operational mode allows for commands to perform operational system tasks and view system and service status, while configuration mode allows for the modification of system configuration. The?command tree?page lists available commands and their functions.

The CLI provides a built-in help system. In the CLI the?[?]?key may be used to display available commands. The?[tab]?key can be used to auto-complete commands and will present the help system upon a conflict or unknown value.

For example typing?sh?followed by the?[tab]?key will complete to?show. Pressing?[tab]?a second time will display the possible sub-commands of the show command.

vyos@vyos:~$ s[tab] set show vyos@vyos:~$

Example showing possible show commands:

vyos@vyos:~$ show [tab] Possible completions:arp Show Address Resolution Protocol (ARP) informationbridge Show bridging informationcluster Show clustering informationconfiguration Show running configurationconntrack Show conntrack entries in the conntrack tableconntrack-syncShow connection syncing informationdate Show system date and timedhcp Show Dynamic Host Configuration Protocol (DHCP) informationdhcpv6 Show status related to DHCPv6disk Show status of disk devicedns Show Domain Name Server (DNS) informationfile Show files for a particular imagefirewall Show firewall informationflow-accountingShow flow accounting statisticshardware Show system hardware detailshistory show command historyhost Show host informationincoming Show ethernet input-policy information : q vyos@vyos:~$

When the output of a command results in more lines than can be displayed on the terminal screen the output is paginated as indicated by a?:?prompt.

When viewing in page mode the following commands are available:

• [q]?key can be used to cancel output
• [space]?will scroll down one page
• [b]?will scroll back one page
• [return]?will scroll down one line
• [up-arrow]?and?[down-arrow]?will scroll up or down one line at a time respectively
• [left-arrow]?and?[right-arrow]?can be used to scroll left or right in the event that the output has lines which exceed the terminal size.

To enter configuration mode use the?configure?command:

vyos@vyos:~$ configure [edit] vyos@vyos:~#

Note that the prompt changes from?$?to?#. To exit configuration mode, type?exit.

vyos@vyos:~# exit exit vyos@vyos:~$

See the configuration section of this document for more information on configuration mode.

Quick Start Guide

Below is a very basic configuration example that will provide a NAT gateway for a device with two interfaces.

Enter configuration mode:

vyos@vyos$ configure vyos@vyos#

Configure network interfaces:

set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 description 'OUTSIDE' set interfaces ethernet eth1 address '192.168.0.1/24' set interfaces ethernet eth1 description 'INSIDE'

Enable SSH for remote management:

set service ssh port '22'

Configure Source NAT for our "Inside" network.

set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address masquerade

Configure a DHCP Server:

set service dhcp-server disabled 'false' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 start 192.168.0.9 stop '192.168.0.254'

And a DNS forwarder:

set service dns forwarding cache-size '0' set service dns forwarding listen-on 'eth1' set service dns forwarding name-server '8.8.8.8' set service dns forwarding name-server '8.8.4.4'

Add a set of firewall policies for our "Outside" interface:

set firewall name OUTSIDE-IN default-action 'drop' set firewall name OUTSIDE-IN rule 10 action 'accept' set firewall name OUTSIDE-IN rule 10 state established 'enable' set firewall name OUTSIDE-IN rule 10 state related 'enable' set firewall name OUTSIDE-LOCAL default-action 'drop' set firewall name OUTSIDE-LOCAL rule 10 action 'accept' set firewall name OUTSIDE-LOCAL rule 10 state established 'enable' set firewall name OUTSIDE-LOCAL rule 10 state related 'enable' set firewall name OUTSIDE-LOCAL rule 20 action 'accept' set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request' set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp' set firewall name OUTSIDE-LOCAL rule 20 state new 'enable' set firewall name OUTSIDE-LOCAL rule 30 action 'drop' set firewall name OUTSIDE-LOCAL rule 30 destination port '22' set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp' set firewall name OUTSIDE-LOCAL rule 30 recent count '4' set firewall name OUTSIDE-LOCAL rule 30 recent time '60' set firewall name OUTSIDE-LOCAL rule 30 state new 'enable' set firewall name OUTSIDE-LOCAL rule 31 action 'accept' set firewall name OUTSIDE-LOCAL rule 31 destination port '22' set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp' set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'

Apply the firewall policies:

set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN' set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'

Commit changes, save the configuration, and exit configuration mode:

vyos@vyos# commit vyos@vyos# save Saving configuration to '/config/config.boot'... Done vyos@vyos# exit vyos@vyos$

Configuration Overview

VyOS makes use of a unified configuration file for all system configuration:?config.boot. This allows for easy template creation, backup, and replication of system configuration.

The current configuration can be viewed using the?show configuration?command.

vyos@vyos:~$ show configuration interfaces {ethernet eth0 {address dhcphw-id 00:0c:29:44:3b:0f}loopback lo {} } service {ssh {port 22} } system {config-management {commit-revisions 20}console {device ttyS0 {speed 9600}}login {user vyos {authentication {encrypted-password ****************}level admin}}ntp {server 0.pool.ntp.org {}server 1.pool.ntp.org {}server 2.pool.ntp.org {}}syslog {global {facility all {level notice}facility protocols {level debug}}} } vyos@vyos:~$

Because configuration changes are made using?set?and?delete?commands, the commands to generate the active configuration can also be displayed using the?show configuration commands?command.

vyos@vyos:~$ show configuration commands set interfaces ethernet eth0 address 'dhcp' set interfaces ethernet eth0 hw-id '00:0c:29:44:3b:0f' set interfaces loopback 'lo' set service ssh port '22' set system config-management commit-revisions '20' set system console device ttyS0 speed '9600' set system login user vyos authentication encrypted-password '<removed>' set system login user vyos level 'admin' set system ntp server '0.pool.ntp.org' set system ntp server '1.pool.ntp.org' set system ntp server '2.pool.ntp.org' set system syslog global facility all level 'notice' set system syslog global facility protocols level 'debug' vyos@vyos:~$

Configuration changes made do not take effect until committed using the?commit?command in configuration mode.

vyos@vyos# commit [edit] vyos@vyos# exit Warning: configuration changes have not been saved. vyos@vyos:~$

In order to preserve configuration changes upon reboot, the configuration must also be saved once applied. This is done using the?save?command in configuration mode.

vyos@vyos# save Saving configuration to '/config/config.boot'... Done [edit] vyos@vyos#

The?show?command within configuration mode will show the current configuration indicating line changes with a?+?for additions and a?-?for deletions.

vyos@vyos:~$ configure [edit] vyos@vyos# show interfacesethernet eth0 {address dhcphw-id 00:0c:29:44:3b:0f}loopback lo {} [edit] vyos@vyos# set interfaces ethernet eth0 description 'OUTSIDE' [edit] vyos@vyos# show interfacesethernet eth0 {address dhcp + description OUTSIDEhw-id 00:0c:29:44:3b:0f}loopback lo {} [edit] vyos@vyos#

Configuration mode can not be exited while uncommitted changes exist. To exit configuration mode without applying changes, the?exit discard?command can be used.

vyos@vyos# exit Cannot exit: configuration modified. Use 'exit discard' to discard the changes and exit. [edit] vyos@vyos# exit discard exit vyos@vyos:~$

VyOS also maintains backups of previous configurations. To compare configuration revisions in configuration mode, use the?compare?command:

vyos@vyos# compare [tab] Possible completions:<Enter> Compare working & active configurationssaved Compare working & saved configurations<N> Compare working with revision N<N> <M> Compare revision N with M Revisions:0 2013-12-17 20:01:37 root by boot-config-loader1 2013-12-13 15:59:31 root by boot-config-loader2 2013-12-12 21:56:22 vyos by cli3 2013-12-12 21:55:11 vyos by cli4 2013-12-12 21:27:54 vyos by cli5 2013-12-12 21:23:29 vyos by cli6 2013-12-12 21:13:59 root by boot-config-loader7 2013-12-12 16:25:19 vyos by cli8 2013-12-12 15:44:36 vyos by cli9 2013-12-12 15:42:07 root by boot-config-loader10 2013-12-12 15:42:06 root by init

?

[edit] vyos@vyos#

You can rollback configuration using the?rollback?command, however this command will currently trigger a system reboot.

vyos@vyos# compare 1 [edit system] >host-name vyos-1 [edit] vyos@vyos# rollback 1 Proceed with reboot? [confirm][y] Broadcast message from root@vyos-1 (pts/0) (Tue Dec 17 21:07:45 2013): The system is going down for reboot NOW! [edit] vyos@vyos#

VyOS also supports saving and loading configuration remotely using SCP, FTP, or TFTP.

vyos@vyos# save [tab] Possible completions:<Enter> Save to system config file<file> Save to file on local machinescp://<user>:<passwd>@<host>/<file> Save to file on remote machineftp://<user>:<passwd>@<host>/<file> Save to file on remote machinetftp://<host>/<file> Save to file on remote machine vyos@vyos# save tftp://192.168.0.100/vyos-test.config.boot Saving configuration to 'tftp://192.168.0.100/vyos-test.config.boot'... ######################################################################## 100.0% Done

Network Interfaces

Configured interfaces on a VyOS system can be displayed using the?show interfaces?command.

vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 172.16.51.129/24 u/u OUTSIDE eth1 192.168.0.1/24 u/u INSIDE lo 127.0.0.1/8 u/u::1/128 vyos@vyos:~$

A specific interface can be shown using the?show interfaces <type> <name>?command.

vyos@vyos:~$ show interfaces ethernet eth0 eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:44:3b:0f brd ff:ff:ff:ff:ff:ffinet 172.16.51.129/24 brd 172.16.51.255 scope global eth0inet6 fe80::20c:29ff:fe44:3b0f/64 scope linkvalid_lft forever preferred_lft foreverDescription: OUTSIDE RX: bytes packets errors dropped overrun mcast274397 3064 0 0 0 0TX: bytes packets errors dropped carrier collisions257276 1890 0 0 0 0 vyos@vyos:~$

Each interface can be configured with a description and address.

set interfaces ethernet eth0 description 'OUTSIDE' set interfaces ethernet eth0 address 'dhcp'

Different network interfaces provide type-specific configuration. Ethernet interfaces, for example, allow the configuration of speed and duplex.

Many services, such as network routing, firewall, and traffic policy also maintain interface-specific configuration. These will be covered in their respective sections.

Ethernet Interfaces

Ethernet interfaces allow for the configuration of speed, duplex, and hw-id (MAC address). Below is an example configuration:

set interfaces ethernet eth1 address '192.168.0.1/24' set interfaces ethernet eth1 description 'INSIDE' set interfaces ethernet eth1 duplex 'auto' set interfaces ethernet eth1 speed 'auto'

Resulting in:

ethernet eth1 {address 192.168.0.1/24description INSIDEduplex autohw-id 00:0c:29:44:3b:19smp_affinity autospeed auto}

In addition, Ethernet interfaces provide the extended operational commands?show interfaces ethernet <name> physical?and?show interfaces ethernet <name> statistics. Statistics available are driver dependent.

vyos@vyos:~$ show interfaces ethernet eth0 physical Settings for eth0:Supported ports: [ TP ]Supported link modes: 10baseT/Half 10baseT/Full100baseT/Half 100baseT/Full1000baseT/FullSupports auto-negotiation: YesAdvertised link modes: 10baseT/Half 10baseT/Full100baseT/Half 100baseT/Full1000baseT/FullAdvertised pause frame use: NoAdvertised auto-negotiation: YesSpeed: 1000Mb/sDuplex: FullPort: Twisted PairPHYAD: 0Transceiver: internalAuto-negotiation: onMDI-X: UnknownSupports Wake-on: dWake-on: dCurrent message level: 0x00000007 (7)Link detected: yes driver: e1000 version: 7.3.21-k8-NAPI firmware-version: bus-info: 0000:02:01.0 vyos@vyos:~$ show interfaces ethernet eth0 statistics NIC statistics:rx_packets: 3530tx_packets: 2179 [...]

VLAN Sub-Interfaces (802.1Q)

802.1Q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is?vif. Configuration of a tagged sub-interface is accomplished using the configuration command?set interfaces ethernet <name> vif <vlan-id>.

set interfaces ethernet eth1 vif 100 description 'VLAN 100' set interfaces ethernet eth1 vif 100 address '192.168.100.1/24'

Resulting:

ethernet eth1 {address 192.168.0.1/24description INSIDEduplex autohw-id 00:0c:29:44:3b:19smp_affinity autospeed autovif 100 {address 192.168.100.1/24description "VLAN 100"}}

VLAN interfaces are shown as <name>.<vlan-id>, e.g. eth1.100:

vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 172.16.51.129/24 u/u OUTSIDE eth1 192.168.0.1/24 u/u INSIDE eth1.100 192.168.100.1/24 u/u VLAN 100 lo 127.0.0.1/8 u/u::1/128

Bridging

Interfaces in VyOS can be bridged together to provide software switching of Layer-2 traffic.

A bridge is created when a bridge interface is defined. In the example below we will be creating a bridge for VLAN 100 and assigning a VIF to the bridge.

set interfaces bridge 'br100' set interfaces ethernet eth1 vif 100 bridge-group bridge br100

Interfaces assigned to a bridge-group do not have address configuration. An IP address can be assigned to the bridge interface itself, however, like any normal interface.

set interfaces bridge br100 address '192.168.100.1/24'

Example Result:

bridge br100 {address 192.168.100.1/24 } [...] ethernet eth1 { [...]vif 100 {bridge-group {bridge br100}} }

In addition to normal IP interface configuration, bridge interfaces support Spanning-Tree Protocol. STP is disabled by default.

NOTE:?Please use caution when introducing spanning-tree protocol on a network as it may result in topology changes.

To enable spanning-tree use the?set interfaces bridge <name> stp true?command:

set interfaces bridge br100 stp true

STP?priority,?forwarding-delay,?hello-time, and?max-age?can be configured for the bridge-group. The MAC aging time can also be configured using the?agingdirective.

For member interfaces, the bridge-group?priority?and?cost?can be configured.

The?show bridge?operational command can be used to display configured bridges:

vyos@vyos:~$ show bridge bridge name bridge id STP enabled interfaces br100 0000.000c29443b19 yes eth1.100

If spanning-tree is enabled, the?show bridge <name> spanning-tree?command can be used to show STP configuration:

vyos@vyos:~$ show bridge br100 spanning-tree br100bridge id 0000.000c29443b19designated root 0000.000c29443b19root port 0 path cost 0max age 20.00 bridge max age 20.00hello time 2.00 bridge hello time 2.00forward delay 15.00 bridge forward delay 15.00ageing time 300.00hello timer 0.47 tcn timer 0.00topology change timer 0.00 gc timer 64.63flags eth1.100 (1)port id 8001 state forwardingdesignated root 0000.000c29443b19 path cost 4designated bridge 0000.000c29443b19 message age timer 0.00designated port 8001 forward delay timer 0.00designated cost 0 hold timer 0.00flags

The MAC address-table for a bridge can be displayed using the?show bridge <name> macs?command:

vyos@vyos:~$ show bridge br100 macs port no mac addr is local? ageing timer1 00:0c:29:44:3b:19 yes 0.00

Bonding

You can combine (aggregate) 2 or more physical interfaces into a single logical one. It's called bonding, or LAG, or etherchannel, or portchannel.

Create interface bondX, where X is just a number:

set interfaces bonding bond0 description 'my-sw1 int 23 and 24'

You are able to choose a hash policy:

vyos@vyos# set interfaces bonding bond0 hash-policy Possible completions:layer2 use MAC addresses to generate the hash (802.3ad)layer2+3 combine MAC address and IP address to make hashlayer3+4 combine IP address and port to make hash

For example:

set interfaces bonding bond0 hash-policy 'layer2'

You may want to set IEEE 802.3ad Dynamic link aggregation (802.3ad) AKA LACP (don't forget to setup it on the other end of these links):

set interfaces bonding bond0 mode '802.3ad'

or some other modes:

vyos@vyos# set interfaces bonding bond0 mode Possible completions:802.3ad IEEE 802.3ad Dynamic link aggregation (Default)active-backupFault tolerant: only one slave in the bond is activebroadcast Fault tolerant: transmits everything on all slave interfacesround-robin Load balance: transmit packets in sequential ordertransmit-load-balanceLoad balance: adapts based on transmit load and speedadaptive-load-balanceLoad balance: adapts based on transmit and receive plus ARPxor-hash Load balance: distribute based on MAC address

Now bond some physical interfaces into bond0:

set interfaces ethernet eth0 bond-group 'bond0' set interfaces ethernet eth0 description 'member of bond0' set interfaces ethernet eth1 bond-group 'bond0' set interfaces ethernet eth1 description 'member of bond0'

After a commit you may treat bond0 as almost a physical interface (you can't change its` duplex, for example) and assign IPs or VIFs on it.

You may check the result:

vyos@vyos# run sh interfaces bonding Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- bond0 - u/u my-sw1 int 23 and 24 bond0.10 192.168.0.1/24 u/u office-net bond0.100 10.10.10.1/24 u/u management-net

Tunnel Interfaces

Set Virtual Tunnel interface

set interfaces vti vti0 address 192.168.2.249/30 vyos@vyos# show interfaces vti vti vti0 {address 192.168.2.249/30description "Description" }

Routing

VyOS is a "router first" network operating system. It supports static routing, policy routing, and dynamic routing using standard protocols (RIP, OSPF, and BGP).

Static

Static routes are manually configured network routes.

A typical use for a static route is a static default route for systems that do not make use of DHCP or dynamic routing protocols:

set protocols static route 0.0.0.0/0 next-hop 203.0.113.1 distance '1'

Producing the following configuration:

static {route 0.0.0.0/0 {next-hop 203.0.113.1 {distance 1}} }

Another common use of static routes is to blackhole (drop) traffic. In the example below, RFC 1918 private IP networks are set as blackhole routes. This does not prevent networks within these segments from being used, since the most specific route is always used. It does, however, prevent traffic to unknown private networks from leaving the router. Commonly refereed to as leaking.

set protocols static route 10.0.0.0/8 blackhole distance '254' set protocols static route 172.16.0.0/12 blackhole distance '254' set protocols static route 192.168.0.0/16 blackhole distance '254'

Resulting configuration:

route 10.0.0.0/8 {blackhole {distance 254} } route 172.16.0.0/12 {blackhole {distance 254} } route 192.168.0.0/16 {blackhole {distance 254} }

Note that routes with a distance of 255 are effectively disabled and not installed into the kernel.

RIP

Simple RIP configuration using 2 nodes and redistributing connected interfaces.

Node 1:

set interfaces loopback address 1.1.1.1/32 set protocols rip network 192.168.0.0/24 set protocols rip redistribute connected

Node 2:

set interfaces loopback address 2.2.2.2/32 set protocols rip network 192.168.0.0/24 set protocols rip redistribute connected

Resulting configuration:

Node 1:

rip {network 192.168.0.0/24redistribute {connected {}} }

Node 2:

rip {network 192.168.0.0/24redistribute {connected {}} }

OSPF

IPv4

A typical configuration using 2 nodes, redistribute loopback address and the node 1 sending the default route:

Node 1:

set interfaces loopback lo address 1.1.1.1/32 set protocols ospf area 0 network 192.168.0.0/24 set protocols ospf default-information originate always set protocols ospf default-information originate metric 10 set protocols ospf default-information originate metric-type 2 set protocols ospf log-adjacency-changes set protocols ospf parameters router-id 1.1.1.1 set protocols ospf redistribute connected metric-type 2 set protocols ospf redistribute connected route-map CONNECT set policy route-map CONNECT rule 10 action permit set policy route-map CONNECT rule 10 match interface lo

Node 2:

set interfaces loopback lo address 2.2.2.2/32 set protocols ospf area 0 network 192.168.0.0/24 set protocols ospf log-adjacency-changes set protocols ospf parameters router-id 2.2.2.2 set protocols ospf redistribute connected metric-type 2 set protocols ospf redistribute connected route-map CONNECT set policy route-map CONNECT rule 10 action permit set policy route-map CONNECT rule 10 match interface lo

Resulting configuration:

Node 1:

ospf {area 0 {network 192.168.0.0/24}default-information {originate {alwaysmetric 10metric-type 2}}log-adjacency-changes {}parameters {router-id 1.1.1.1}redistribute {connected {metric-type 2route-map CONNECT}} } route-map CONNECT {rule 10 {action permitmatch {interface lo}}}

Node 2:

ospf {area 0 {network 192.168.0.0/24}log-adjacency-changes {}parameters {router-id 2.2.2.2}redistribute {connected {metric-type 2route-map CONNECT}} } route-map CONNECT {rule 10 {action permitmatch {interface lo}} }

IPv6

A typical configuration using 2 nodes.

Node 1:

set protocols ospfv3 area 0.0.0.0 interface eth1 set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64 set protocols ospfv3 parameters router-id 192.168.1.1 set protocols ospfv3 redistribute connected

Node 2:

set protocols ospfv3 area 0.0.0.0 interface eth1 set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64 set protocols ospfv3 parameters router-id 192.168.2.1 set protocols ospfv3 redistribute connected

Resulting configuration:

Node 1:

protocols {ospfv3 {area 0.0.0.0 {interface eth1range 2001:db8:1::/64 {}}parameters {router-id 192.168.1.1}redistribute {connected {}}} }

Node 2:

protocols {ospfv3 {area 0.0.0.0 {interface eth1range 2001:db8:2::/64 {}}parameters {router-id 192.168.2.1}redistribute {connected {}}} }

?

BGP

IPv4

A simple eBGP configuration:

Node 1:

set protocols bgp 65536 neighbor 192.168.0.2 ebgp-multihop '2' set protocols bgp 65536 neighbor 192.168.0.2 remote-as '65537' set protocols bgp 65536 neighbor 192.168.0.2 update-source ‘192.168.0.1 set protocols bgp 65536 network '1.0.0.0/16' set protocols bgp 65536 parameters router-id ‘192.168.0.1

Node 2:

set protocols bgp 65537 neighbor 192.168.0.1 ebgp-multihop '2' set protocols bgp 65537 neighbor 192.168.0.1 remote-as '65536’ set protocols bgp 65537 neighbor 192.168.0.1 update-source ‘192.168.0.2 set protocols bgp 65537 network 2.0.0.0/16' set protocols bgp 65537 parameters router-id ‘192.168.0.2

Don’t forget, the CIDR declared in the network statement MUST?exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:

Node 1:

set protocols static route 1.0.0.0/16 blackhole distance '254'

Node 2:

set protocols static route 2.0.0.0/16 blackhole distance '254'

Resulting configuration:

Node 1:

bgp 65536 {neighbor 192.168.0.2 {ebgp-multihop 2remote-as 65537update-source 192.168.0.1}network 1.0.0.0/16 {}parameters {router-id 192.168.0.1} } static {route 1.0.0.0/16 {blackhole {distance 254}} }

Node 2:

bgp 65537 {neighbor 192.168.0.1 {ebgp-multihop 2remote-as 65536update-source 192.168.0.2}network 2.0.0.0/16 {}parameters {router-id 192.168.0.2} } static {route 2.0.0.0/16 {blackhole {distance 254}} }

IPv6

A simple BGP configuration via IPv6.

Node 1:

set protocols bgp 65536 neighbor 2a00:100::2 ebgp-multihop '2' set protocols bgp 65536 neighbor 2a00:100::2 remote-as '65537' set protocols bgp 65536 neighbor 2a00:100::2 update-source '2a00:100::1' set protocols bgp 65536 neighbor 2a00:100::2 address-family ipv6-unicast set protocols bgp 65536 address-family ipv6-unicast network '2a00:100:1::/48' set protocols bgp 65536 parameters router-id '1.1.1.1'

Node 2:

set protocols bgp 65537 neighbor 2a00:100::1 ebgp-multihop '2' set protocols bgp 65537 neighbor 2a00:100::1 remote-as '65536' set protocols bgp 65537 neighbor 2a00:100::1 update-source '2a00:100::2' set protocols bgp 65536 neighbor 2a00:100::1 address-family ipv6-unicast set protocols bgp 65537 address-family ipv6-unicast network '2a00:100:2::/48' set protocols bgp 65537 parameters router-id '1.1.1.2'

Don’t forget, the CIDR declared in the network statement MUST exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:

Node 1:

set protocols static route6 2a001:100:1::/48 blackhole distance '254'

Node 2:

set protocols static route6 2a00:100:2::/48 blackhole distance '254'

Resulting configuration:

Node 1:

bgp 65536 {neighbor 2a00:100::2 {address-family {ipv6-unicast {}}ebgp-multihop 2remote-as 65537update-source 2a00:100::1}network 2a00:100:1::/48 {}parameters {router-id 1.1.1.1} } static {route6 2a00:100:1::/48 {blackhole {distance 254}} }

Node 2:

bgp 65537 {neighbor 2a00:100::1 {address-family {ipv6-unicast {}}ebgp-multihop 2remote-as 65536update-source 2a00:100::2}network 2a00:100:2::/48 {}parameters {router-id 1.1.1.2} } static {route6 2a00:100:2::/48 {blackhole {distance 254}} }

Route Filtering

Route filtering can be applied using a route-map:

Node1:

set policy prefix-list AS65537-IN rule 10 action 'permit' set policy prefix-list AS65537-IN rule 10 prefix '2.0.0.0/16' set policy prefix-list AS65537-OUT rule 10 action 'deny' set policy prefix-list AS65537-OUT rule 10 prefix '2.0.0.0/16' set policy prefix-list6 AS65537-IN rule 10 action 'permit' set policy prefix-list6 AS65537-IN rule 10 prefix '2a00:100:2::/48' set policy prefix-list6 AS65537-OUT rule 10 action 'deny' set policy prefix-list6 AS65537-OUT rule 10 prefix '2a00:100:2::/48' set policy route-map AS65537-IN rule 10 action 'permit' set policy route-map AS65537-IN rule 10 match ip address prefix-list 'AS65537-IN' set policy route-map AS65537-IN rule 10 match ipv6 address prefix-list 'AS65537-IN' set policy route-map AS65537-IN rule 20 action 'deny' set policy route-map AS65537-OUT rule 10 action 'deny' set policy route-map AS65537-OUT rule 10 match ip address prefix-list 'AS65537-OUT' set policy route-map AS65537-OUT rule 10 match ipv6 address prefix-list 'AS65537-OUT' set policy route-map AS65537-OUT rule 20 action 'permit' set protocols bgp 65536 neighbor 2a00:100::2 route-map export 'AS65537-OUT' set protocols bgp 65536 neighbor 2a00:100::2 route-map import 'AS65537-IN'

Node2:

set policy prefix-list AS65536-IN rule 10 action 'permit' set policy prefix-list AS65536-IN rule 10 prefix '1.0.0.0/16' set policy prefix-list AS65536-OUT rule 10 action 'deny' set policy prefix-list AS65536-OUT rule 10 prefix '1.0.0.0/16' set policy prefix-list6 AS65536-IN rule 10 action 'permit' set policy prefix-list6 AS65536-IN rule 10 prefix '2a00:100:1::/48' set policy prefix-list6 AS65536-OUT rule 10 action 'deny' set policy prefix-list6 AS65536-OUT rule 10 prefix '2a00:100:1::/48' set policy route-map AS65536-IN rule 10 action 'permit' set policy route-map AS65536-IN rule 10 match ip address prefix-list 'AS65536-IN' set policy route-map AS65536-IN rule 10 match ipv6 address prefix-list 'AS65536-IN' set policy route-map AS65536-IN rule 20 action 'deny' set policy route-map AS65536-OUT rule 10 action 'deny' set policy route-map AS65536-OUT rule 10 match ip address prefix-list 'AS65536-OUT' set policy route-map AS65536-OUT rule 10 match ipv6 address prefix-list 'AS65536-OUT' set policy route-map AS65536-OUT rule 20 action 'permit' set protocols bgp 65537 neighbor 2a00:100::1 route-map export 'AS65536-OUT' set protocols bgp 65537 neighbor 2a00:100::1 route-map import 'AS65536-IN'

We could expand on this and also deny link local and multicast in the rule 20 action deny.

Policy Routing

VyOS supports Policy Routing, allowing traffic to be assigned to a different routing table. Traffic can be matched using standard 5-tuple matching (source address, destination address, protocol, source port, destination port).

The following example will show how VyOS can be used to redirect web traffic to an external transparent proxy:

set policy route FILTER-WEB rule 1000 destination port 80set policy route FILTER-WEB rule 1000 protocol tcpset policy route FILTER-WEB rule 1000 set table 100

This creates a route policy called?FILTER-WEB?with one rule to set the routing table for matching traffic (TCP port 80) to table ID 100 instead of the default routing table.

To create routing table 100 and add a new default gateway to be used by traffic matching our route policy:

set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2

This can be confirmed using the?show ip route table 100?operational command.

Finally, to apply the policy route to ingress traffic on our LAN interface, we use:

set interfaces ethernet eth1 policy route FILTER-WEB

The route policy functionality in VyOS can also be used to rewrite TCP MSS using the?set policy route <name> rule <rule> set tcp-mss <value>?directive, modify DSCP value using?[...] set dscp <value>, or mark the traffic with an internal ID using?[...] set mark <value>?for further processing (e.g. QOS) on a per-rule basis for matching traffic.

In addition to 5-tuple matching, additional options such as time-based rules, are available. See the built-in help for a complete list of options.

Firewall

VyOS makes use of Linux?netfilter?for packet filtering.

The firewall supports the creation of groups for ports, addresses, and networks (implemented using netfilter ipset) and the option of interface or zone based firewall policy.

Important note on usage of terms:?The firewall makes use of the terms?in,?out, and?local?for firewall policy. Users experienced with netfilter often confuse?in?to be a reference to the?INPUT?chain, and?out?the?OUTPUT?chain from netfilter. This is not the case. These instead indicate the use of the?FORWARD?chain and either the input or output interface. The?INPUT?chain, which is used for local traffic to the OS, is a reference to as?local?with respect to its input interface.

Zone-based Firewall Policy

As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying to rulesets to interfaces they are applied to source zone-destination zone pairs.

An introduction can to zone-based firewalls can be found?here. For an example see?Zone-policy example.

Groups

Firewall groups represent collections of IP addresses, networks, or ports. Once created, a group can be referenced by firewall rules as either a source or destination. Members can be added or removed from a group without changes to or the need to reload individual firewall rules. Note that groups can also be referenced by NAT configuration.

While network groups accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need to add a mix of addresses and networks, the network group is recommended.

Here is an example of a network group for the IP networks that make up the internal network:

set firewall group network-group NET-INSIDE network 192.168.0.0/24 set firewall group network-group NET-INSIDE network 192.168.1.0/24

A port group represents only port numbers, not the protocol. Port groups can be referenced for either TCP or UDP. It is recommended that TCP and UDP groups are created separately to avoid accidentally filtering unnecessary ports. Ranges of ports can be specified by using a?-.

Here is an example of a port group a server:

set firewall group port-group PORT-TCP-SERVER1 port 80 set firewall group port-group PORT-TCP-SERVER1 port 443 set firewall group port-group PORT-TCP-SERVER1 port 5000-5010

Rule-Sets

A rule-set is a named collection of firewall rules that can be applied to an interface or zone. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify the criteria to match.

Example of a rule-set to filter traffic to the internal network:

set firewall name INSIDE-OUT default-action drop set firewall name INSIDE-OUT rule 1010 action accept set firewall name INSIDE-OUT rule 1010 state established enable set firewall name INSIDE-OUT rule 1010 state related enable set firewall name INSIDE-OUT rule 1020 action drop set firewall name INSIDE-OUT rule 1020 state invalid enable

Applying a Rule-Set to an Interface

Once a rule-set is created, it can be applied to an interface. Note only one rule-set can be applied to each interface for?in,?out, or?local?traffic for each protocol (IPv4 and IPv6).

set interfaces ethernet eth1 firewall out name INSIDE-OUT

Applying a Rule-Set to a Zone

A named rule-set can also be applied to a zone relationship (note, zones must first be created):

set zone-policy zone INSIDE from OUTSIDE firewall name INSIDE-OUT

Example Partial Config

firewall {all-ping enablebroadcast-ping disableconfig-trap disablegroup {network-group BAD-NETWORKS {network 1.2.3.0/24network 1.2.4.0/24}network-group GOOD-NETWORKS {network 4.5.6.0/24network 4.5.7.0/24}port-group BAD-PORTS {port 65535}}name FROM-INTERNET {default-action acceptdescription "From the Internet"rule 10 {action acceptdescription "Authorized Networks"protocol allsource {group {network-group GOOD-NETWORKS}}}rule 11 {action dropdescription "Bad Networks"protocol allsource {group {network-group BAD-NETWORKS}}}rule 30 {action dropdescription "BAD PORTS"destination {group {port-group BAD-PORTS}}log enableprotocol all}} } interfaces {ethernet eth1 {address dhcpdescription OUTSIDEduplex autofirewall {in {name FROM-INTERNET}}} }

XFinity Blocked Port List

NAT

Source NAT

Source NAT is typically referred to simply as NAT. To be more correct, what most people refer to as NAT is actually the process of?Port Address Translation (PAT), or?NAT Overload: The process of having many internal host systems communicate to the Internet using a single or subset of IP addresses.

To setup SNAT, we need to know:

• The internal IP addresses we want to translate
• The outgoing interface to perform the translation on
• The external IP address to translate to

In the example used for the Quick Start configuration above, we demonstrate the following configuration:

set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address 'masquerade'

Which generates the following configuration:

rule 100 {outbound-interface eth0source {address 192.168.0.0/24}translation {address masquerade} }

In this example, we use?masquerade?as the translation address instead of an IP address. The?masquerade?target is effectively an alias to say "use whatever IP address is on the outgoing interface", rather than a statically configured IP address. This is useful if you use DHCP for your outgoing interface and do not know what the external address will be.

When using NAT for a large number of host systems it recommended that a minimum of 1 IP address is used to NAT every 256 host systems. This is due to the limit of 65,000 port numbers available for unique translations and a reserving an average of 200-300 sessions per host system.

Example: For an ~ 8,000 host network a source NAT pool of 32 IP addresses is recommended.

A pool of addresses can be defined by using a?-?in the?set nat source rule [n] translation address?statement.

set nat source rule 100 translation address '203.0.113.32-203.0.113.63'

?

---

Note:?Avoiding "Leaky" NAT

Linux netfilter will not NAT traffic marked as INVALID. This often confuses people into thinking that Linux (or specifically VyOS) has a broken NAT implementation because non-NATed traffic is seen leaving an external interface. This is actually working as intended, and a packet capture of the "leaky" traffic should reveal that the traffic is either an additional TCP "RST", "FIN,ACK", or "RST,ACK" sent by client systems after Linux netfilter considers the connection closed. The most common is the additional TCP RST some host implementations send after terminating a connection (which is implementation-specific).

In other words, connection tracking has already observed the connection be closed and has transition the flow to INVALID to prevent attacks from attempting to reuse the connection.

You can avoid the "leaky" behavior by using a firewall policy that drops "invalid" state packets.

Having control over the matching of INVALID state traffic, e.g. the ability to selectively log, is an important troubleshooting tool for observing broken protocol behavior. For this reason, VyOS does not globally drop invalid state traffic, instead allowing the operator to make the determination on how the traffic is handled.

?

---

Note:?Avoiding NAT breakage in the absence of split-DNS

A typical problem with using NAT and hosting public servers is the ability for internal systems to reach an internal server using it's external IP address. The solution to this is usually the use of split-DNS to correctly point host systems to the internal address when requests are made internally. Because many smaller networks lack DNS infrastructure, a work-around is commonly deployed to facilitate the traffic by NATing the request from internal hosts to the source address of the internal interface on the firewall. This technique is commonly reffered to as?NAT Reflection, or?Hairpin NAT.

In this example, we will be using the example Quick Start configuration above as a starting point.

To setup a NAT reflection rule, we need to create a rule to NAT connections from the internal network to the same internal network to use the source address of the internal interface.

set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.168.0.0/24' set nat source rule 110 outbound-interface 'eth1' set nat source rule 110 source address '192.168.0.0/24' set nat source rule 110 translation address 'masquerade'

Which results in a configuration of:

rule 110 {description "NAT Reflection: INSIDE"destination {address 192.168.0.0/24}outbound-interface eth1source {address 192.168.0.0/24}translation {address masquerade} }

---

Destination NAT

DNAT is typically referred to as a?Port Forward. When using VyOS as a NAT router and firewall, a common configuration task is to redirect incoming traffic to a system behind the firewall.

In this example, we will be using the example Quick Start configuration above as a starting point.

To setup a destination NAT rule we need to gather:

• The interface traffic will be coming in on
• The protocol and port we wish to forward
• The IP address of the internal system we wish to forward traffic to

In our example, we will be forwarding web server traffic to an internal web server on 192.168.0.100.

HTTP traffic makes use of the TCP protocol on port 80.

For other common port numbers, see:?[1]

Our configuration commands would be:

set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' set nat destination rule 10 destination port '80' set nat destination rule 10 inbound-interface 'eth0' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address '192.168.0.100'

Which would generate the following NAT destination configuration:

nat {destination {rule 10 {description "Port Forward: HTTP to 192.168.0.100"destination {port 80}inbound-interface eth0protocol tcptranslation {address 192.168.0.100}}} }

Note that if forwarding traffic to a different port than it is arriving on, you may also configure the translation port using?set nat destination rule [n] translation port.

This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic.

It is important to note that when creating firewall rules that the DNAT translation occurs?before?traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100.

So in our firewall policy, we want to allow traffic coming in on the outside interface, destined for TCP port 80 and the IP address of 192.168.0.100.

set firewall name OUTSIDE-IN rule 20 action 'accept' set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100' set firewall name OUTSIDE-IN rule 20 destination port '80' set firewall name OUTSIDE-IN rule 20 protocol 'tcp' set firewall name OUTSIDE-IN rule 20 state new 'enable'

This would generate the following configuration:

rule 20 {action acceptdestination {address 192.168.0.100port 80}protocol tcpstate {new enable} }

Note: If you have configured the INSIDE-OUT policy, you will need to add additional rules to permit inbound NAT traffic.

1-to-1 NAT

Another term often used for DNAT is?1-to-1 NAT.

For a 1-to-1 NAT configuration, both DNAT and SNAT are used to NAT all traffic from an external IP address to an internal IP address and vice-versa.

Typically, a 1-to-1 NAT rule omits the destination port (all ports) and replaces the protocol with either?all?or?ip.

Then a corresponding SNAT rule is created to NAT outgoing traffic for the internal IP to a reserved external IP. This dedicates an external IP address to an internal IP address and is useful for protocols which don't have the notion of ports, such as GRE.

1-to-1 NAT example

Here's an extract of a simple 1-to-1 NAT configuration with one internal and one external interface:

set interfaces ethernet eth0 address '192.168.1.1/24' set interfaces ethernet eth0 description 'Inside interface' set interfaces ethernet eth1 address '1.2.3.4/24' set interfaces ethernet eth1 description 'Outside interface' set nat destination rule 2000 description '1-to-1 NAT example' set nat destination rule 2000 destination address '1.2.3.4' set nat destination rule 2000 inbound-interface 'eth1' set nat destination rule 2000 translation address '192.168.1.10' set nat source rule 2000 description '1-to-1 NAT example' set nat source rule 2000 outbound-interface 'eth1' set nat source rule 2000 source address '192.168.1.10' set nat source rule 2000 translation address '1.2.3.4'

Firewall rules are written as normal, using the internal IP address as the source of outbound rules and the destination of inbound rules.

NPTv6 (RFC6296)

See here?:?How_to_do_NPTv6

VPN

OpenVPN

Traditionally hardware routers implement IPsec exclusively due to relative ease of implementing it in hardware and insufficient CPU power for doing encryption in software. Since VyOS is a software router, this is less of a concern. OpenVPN has been widely used on UNIX platform for a long time and is a popular option for remote access VPN, though it's also capable of site-to-site connections.

The advantages of OpenVPN are:

• It uses a single TCP or UDP connection and does not rely on packet source addresses, so it will work even through a double NAT: perfect for public hotspots and such
• It's easy to setup and offers very flexible split tunneling
• There's a variety of client GUI frontends for any platform

The disadvantages are:

• It's slower than IPsec due to higher protocol overhead and the fact it runs in user mode while IPsec, on Linux, is in kernel mode
• None of the operating systems have client software installed by default

In the VyOS CLI, a key point often overlooked is that rather than being configured using the?set vpn?stanza, OpenVPN is configured as a network interface using?set interfaces openvpn.

OpenVPN Site-To-Site

While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due to lack of support for this mode in many router platforms.

Site-to-site mode supports x.509 but doesn't require it and can also work with static keys, which is simpler in many cases. In this example, we'll configure a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.

First, one one of the systems generate the key using the operational command?generate openvpn key <filename>. This will generate a key with the name provided in the?/config/auth/?directory. Once generated, you will need to copy this key to the remote router.

In our example, we used the filename?openvpn-1.key?which we will reference in our configuration.

• The public IP address of the local side of the VPN will be 198.51.100.10
• The remote will be 203.0.113.11
• The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote.
• OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for lossy connections; generally UDP is preferred when possible.
• The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN.
• The?persistent-tunnel?directive will allow us to configure tunnel-related attributes, such as firewall policy as we would on any normal network interface.
• If known, the IP of the remote router can be configured using the?remote-host?directive; if unknown, it can be omitted. We will assume a dynamic IP for our remote router.

Local Configuration:

set interfaces openvpn vtun1 mode site-to-siteset interfaces openvpn vtun1 protocol udpset interfaces openvpn vtun1 persistent-tunnelset interfaces openvpn vtun1 local-host '198.51.100.10'set interfaces openvpn vtun1 local-port '1195'set interfaces openvpn vtun1 remote-port '1195'set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'set interfaces openvpn vtun1 local-address '10.255.1.1'set interfaces openvpn vtun1 remote-address '10.255.1.2'

Remote Configuration:

set interfaces openvpn vtun1 mode site-to-siteset interfaces openvpn vtun1 protocol udpset interfaces openvpn vtun1 persistent-tunnelset interfaces openvpn vtun1 remote-host '198.51.100.10'set interfaces openvpn vtun1 local-port '1195'set interfaces openvpn vtun1 remote-port '1195'set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'set interfaces openvpn vtun1 local-address '10.255.1.2'set interfaces openvpn vtun1 remote-address '10.255.1.1'

The configurations above will default to using 128-bit Blowfish in CBC mode for encryption and SHA-1 for HMAC authentication. These are both considered weak, but a number of other encryption and hashing algorithms are available:

For Encryption:

vyos@vyos# set interfaces openvpn vtun1 encryption Possible completions:des DES algorithm3des DES algorithm with triple encryptionbf128 Blowfish algorithm with 128-bit keybf256 Blowfish algorithm with 256-bit keyaes128 AES algorithm with 128-bit keyaes192 AES algorithm with 192-bit keyaes256 AES algorithm with 256-bit key

For Hashing:

vyos@vyos# set interfaces openvpn vtun1 hash Possible completions:md5 MD5 algorithmsha1 SHA-1 algorithmsha256 SHA-256 algorithmsha512 SHA-512 algorithm

If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching configurations, otherwise the tunnel will not come up.

Static routes can be configured referencing the tunnel interface; for example, the local router will use a network of 10.0.0.0/16, while the remote has a network of 10.1.0.0/16:

Local Configuration:

set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1

Remote Configuration:

set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1

Firewall policy can also be applied to the tunnel interface for?local,?in, and?out?directions and function identically to ethernet interfaces.

If making use of multiple tunnels, OpenVPN must have a way to distinguish between different tunnels aside from the pre-shared-key. This is either by referencing IP address or port number. One option is to dedicate a public IP to each tunnel. Another option is to dedicate a port number to each tunnel (e.g. 1195,1196,1197...)

OpenVPN status can be verified using the?show openvpn?operational commands. See the built-in help for a complete list of options.

OpenVPN Server

Multi-client server is the most popular OpenVPN mode on routers. It always x.509 authentication and therefore requires a PKI setup. This guide assumes you have already setup a PKI and have a CA certificate, a server certificate and key, a certificate revokation list, a Diffie-Hellman key exchange parameters file. You do not need client certificates and keys for the server setup.

In this example we will use the most complicated case: a setup where each client is a router that has its own subnet (think HQ and branch offices), since simpler setups are subsets of it.

Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints and all client subnets belong to 10.23.0.0/20. All clients need access to the 192.168.0.0/16 network.

First we need to specify the basic settings. 1194/UDP is the default. The persistent-tunnel option is recommended, it prevents the TUN/TAP device from closing on connection resets or daemon reloads.

set interfaces openvpn vtun10 mode server set interfaces openvpn vtun10 local-port 1194 set interfaces openvpn vtun10 persistent-tunnel set interfaces openvpn vtun10 protocol udp

Then we need to specify the location of the cryptographic materials. Suppose you keep the files in?/config/auth/openvpn

set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt set interfaces openvpn vtun10 tls key-file /config/auth/openvpn/server.key set interfaces openvpn vtun10 tls crl-file /config/auth/openvpn/crl.pem set interfaces openvpn vtun10 tls dh-file /config/auth/openvpn/dh2048.pem

Now we need to specify the server network settings. In all cases we need to specify the subnet for client tunnel endpoints. Since we want clients to access a specific network behind out router, we will use a push-route option for installing that route on clients.

set interfaces openvpn vtun10 server push-route 192.168.0.0/16 set interfaces openvpn vtun10 server subnet 10.23.1.0/24

Since it's a HQ and branch offices setup, we will want all clients to have fixed addresses and we will route traffic to specific subnets through them. We need configuration for each client to achieve this. Note that clients are identified by the CN field of their x.509 certificates, in this example the CN is client0:

set interfaces openvpn vtun10 server client client0 ip 10.23.1.10 set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25

OpenVPN?will not?automatically create routes in the kernel for client subnets when they connect and will only use client-subnet association internally, so we need to create a route to the 10.23.0.0/20 network ourselves:

set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10

L2TP over IPsec

Example for configuring a simple L2TP over IPsec VPN for remote access (works with native Windows and Mac VPN clients):

set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-traversal enable set vpn ipsec nat-networks allowed-network 0.0.0.0/0 set vpn l2tp remote-access outside-address 203.0.113.2 set vpn l2tp remote-access client-ip-pool start 192.168.255.1 set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username <username> password <password>

In the example above an external IP of 203.0.113.2 is assumed.

If a local firewall policy is in place on your external interface you will need to open:

• UDP port 500 (IKE)
• IP protocol number 50 (ESP)
• UDP port 1701 for IPsec

In addition when NAT is detected by the VPN client ESP is encapsulated in UDP for NAT-traversal:

• UDP port 4500 (NAT-T)

Example:

set firewall name OUTSIDE-LOCAL rule 40 action 'accept' set firewall name OUTSIDE-LOCAL rule 40 destination port '50' set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp' set firewall name OUTSIDE-LOCAL rule 41 action 'accept' set firewall name OUTSIDE-LOCAL rule 41 destination port '500' set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp' set firewall name OUTSIDE-LOCAL rule 42 action 'accept' set firewall name OUTSIDE-LOCAL rule 42 destination port '4500' set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp' set firewall name OUTSIDE-LOCAL rule 43 action 'accept' set firewall name OUTSIDE-LOCAL rule 43 destination port '1701' set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec' set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'

Also note that if you wish to allow the VPN to be used for external access you will need to add the appropriate source NAT rules to your configuration.

set nat source rule 110 outbound-interface 'eth0' set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade

To be able to resolve when connected to the VPN, the following DNS rules are needed as well.

set vpn l2tp remote-access dns-servers server-1 '8.8.8.8' set vpn l2tp remote-access dns-servers server-2 '8.8.4.4'

Established sessions can be viewed using the?show vpn remote-access?operational command.

vyos@vyos:~$ show vpn remote-access Active remote access VPN sessions: User Proto Iface Tunnel IP TX byte RX byte Time ---- ----- ----- --------- ------- ------- ---- vyos L2TP l2tp0 192.168.255.1 3.2K 8.0K 00h06m13s

Site-to-Site IPsec

Example:

• eth1 is WAN interface
• left subnet: 192.168.0.0/24 #s ite1, server side (i.e. locality, actually there is no client or server roles)
• left local_ip: 1.1.1.1 # server side WAN IP
• right subnet: 10.0.0.0/24 # site2,remote office side
• right local_ip: 2.2.2.2 # remote office side WAN IP

# server side config set vpn ipsec esp-group office-srv-esp compression 'disable' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256' set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no' set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1' set vpn ipsec ike-group office-srv-ike lifetime '3600' set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'office-srv-ike' set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1' set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 esp-group 'office-srv-esp' set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 local prefix '192.168.0.0/24' set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 remote prefix '10.0.0.0/21' # remote office side config set vpn ipsec esp-group office-srv-esp compression 'disable' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256' set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no' set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1' set vpn ipsec ike-group office-srv-ike lifetime '3600' set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'office-srv-ike' set vpn ipsec site-to-site peer 1.1.1.1 local-address '2.2.2.2' set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 esp-group 'office-srv-esp' set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 local prefix '10.0.0.0/21' set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 remote prefix '192.168.0.0/24' vyos@srv-gw0:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 2.2.2.2 1.1.1.1State Encrypt Hash D-H Grp NAT-T A-Time L-Time----- ------- ---- ------- ----- ------ ------up aes256 sha1 5 no 734 3600

?

vyos@srv-gw0:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 2.2.2.2 1.1.1.1Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto------ ----- ------------- ------- ---- ----- ------ ------ -----0 up 7.5M/230.6K aes256 sha1 no 567 1800 all

If there is SNAT rules on eth1, need to add exclude rule

# server side set nat source rule 10 destination address '10.0.0.0/24' set nat source rule 10 'exclude' set nat source rule 10 outbound-interface 'eth1' set nat source rule 10 source address '192.168.0.0/24' # remote office side set nat source rule 10 destination address '192.168.0.0/24' set nat source rule 10 'exclude' set nat source rule 10 outbound-interface 'eth1' set nat source rule 10 source address '10.0.0.0/24'

To allow traffic to pass through to clients, you need to add the following rules. (if you used the default configuration at the top of this page)

# server side set firewall name OUTSIDE-LOCAL rule 32 action 'accept' set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24' # remote office side set firewall name OUTSIDE-LOCAL rule 32 action 'accept' set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'

DMVPN

Advanced DMVPN configuration examples are available on the?DMVPN?page.

QoS and Traffic Policy

The traffic policy subsystem provides an interface to Linux traffic control.

One common use of traffic policy is to limit bandwidth for an interface. In the example below we limit bandwidth for our LAN connection to 200M download and out WAN connection to 50M upload:

set traffic-policy shaper WAN-OUT bandwidth '50Mbit' set traffic-policy shaper WAN-OUT default bandwidth '50%' set traffic-policy shaper WAN-OUT default ceiling '100%' set traffic-policy shaper WAN-OUT default queue-type 'fair-queue' set traffic-policy shaper LAN-OUT bandwidth '200Mbit' set traffic-policy shaper LAN-OUT default bandwidth '50%' set traffic-policy shaper LAN-OUT default ceiling '100%' set traffic-policy shaper LAN-OUT default queue-type 'fair-queue'

Resulting in the following configuration:

traffic-policy {shaper WAN-OUT {bandwidth 50Mbitdefault {bandwidth 50%ceiling 100%queue-type fair-queue}}shaper LAN-OUT {bandwidth 200Mbitdefault {bandwidth 50%ceiling 100%queue-type fair-queue}} }

Once defined, a traffic policy can be applied to each interface using the interface-level?traffic-policy?directive:

set interfaces ethernet eth0 traffic-policy out 'WAN-OUT' set interfaces ethernet eth1 traffic-policy out 'LAN-OUT'

Note that a traffic policy can also be defined to match specific traffic flows using class statements.

VyOS also supports HFSC (included in?Lithium).

set traffic-policy shaper-hfsc

See further information on the?QoS?page.

DHCP Server

For more information, refer to the?DHCP server?page.

VyOS provides a DHCP server. The following example provides open pool addressing for a LAN network:

VyOS < 1.2.0

set service dhcp-server shared-network-name 'LAN' authoritative enable set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' start '192.168.0.128' stop '192.168.0.254' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' default-router '192.168.0.1' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' dns-server '192.168.0.1' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' domain-name 'internal-net' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' lease 86400

VyOS >= 1.2.0

Multiple ranges can be defined and can contain holes.

set service dhcp-server shared-network-name 'LAN' authoritative set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' range 0 start '192.168.0.128' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' range 0 stop '192.168.0.254' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' default-router '192.168.0.1' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' dns-server '192.168.0.1' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' domain-name 'internal-net' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' lease 86400

This will provide dynamic addressing using a 24-hour lease and the range of 128-254 for host addressing, reserving the first half of the network for static assignment. Note that the DHCP service will NOT be authoritative for the subnet unless explicitly configured.

Static mappings can also be configured for hosts which need a fixed address via DHCP:

set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' static-mapping 'SERVER' ip-address '192.168.0.10' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' static-mapping 'SERVER' mac-address '00:53:00:00:00:01'

Failover

VyOS provides support for DHCP failover:

set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover local-address '192.168.0.1' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover name 'foo' set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover peer-address '192.168.0.2'

NOTE:?name?must be identical on both sides!

The primary and secondary statements determines whether the server is primary or secondary

set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover status 'primary'

or

set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover status 'secondary'

DHCPv6 server

DHCPv6 server shares most of the configuration options with IPv4 DHCP, with one major exception: in IPv6, DHCP is never used for default gateway configuration. If default gateway is configured automatically, it is always done via router advertisment (RA).

Since router advertisment cannot be deactivated even if DHCPv6 is in use, first you need to set the "managed flag" in RA, which instructs clients to request an IPv6 address via DHCPv6 instead of using SLAAC or EUI-64.

set interfaces ethernet eth1 address '2001:db8:ff::1/64' set interfaces ethernet eth1 ipv6 router-advert managed-flag 'true'

Then you can setup DHCPv6 server:

set service dhcpv6-server shared-network-name LAN subnet 2001:db8:ff::/64 address-range prefix '2001:db8:ff::/64' set service dhcpv6-server shared-network-name LAN subnet 2001:db8:ff::/64 address-range start 2001:db8::1000 stop '2001:db8::ffff' set service dhcpv6-server shared-network-name LAN subnet 2001:db8:ff::/64 name-server '2001:db8:aa::bb'

DHCP-Relay

VyOS can act as a DHCP relay, sending DHCP requests from locally connected networks to a central DHCP server, or servers:

set service dhcp-relay interface eth0 set service dhcp-relay interface eth1 set service dhcp-relay server 192.168.0.4 set service dhcp-relay server 192.168.0.5

An important note that dhcp-relay currently requires specifying the interface the DHCP server replies come from in addition to interfaces to listen on. An upstream bug exists for this:?https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648401

By default the ISC dhcp-relay process will relay relay packets; as this is not expected behavior, disabling this functionality is recommended using the following directive:

set service dhcp-relay relay-options relay-agents-packets discard

Additional protections can be configured matching?hop-limit?and?max-size?for DHCP packets.

set service dhcp-relay hop-count 10set service dhcp-relay max-size 576

DNS Forwarder

VyOS provides a DNS forwarder. This example shows the forwarder being used to listen for DNS request on interface eth1 and use Google Public DNS for name servers with caching disabled:

set service dns forwarding name-server 8.8.8.8set service dns forwarding name-server 8.8.4.4set service dns forwarding cache-size 0set service dns forwarding listen-on eth1

Alternatively, DNS servers can be specified to be the system DNS servers using the?set service dns forwarding system?directive, or to those obtained via DHCP using the?[...] dhcp <interface>?directive.

By default, the forwarder will also make use of the local hosts on the system; this can be disable using the?ignore-host-file?directive.

To add entries to the local hosts file for the system, the?set system static-host-mapping?directive can be used:

set system static-host-mapping host-name example.com inet 127.0.0.1

Dynamic DNS

VyOS provides a dynamic DNS update agent which can be used to update DNS providers when dynamic addressing is used.

set service dns dynamic interface eth0

More information here?:?Dynamic_DNS

mDNS Repeater

VyOS (1.2.x) provides a Multicast DNS repeater functionality.

Multicast DNS uses the 224.0.0.51 address, which is "administratively scoped" and does not leave the subnet. It re-broadcast mDNS packets from one interface to other interfaces. This enables support for e.g. Airplay devices across multiple VLANs.

set service mdns repeater interface eth0 set service mdns repeater interface eth1

Will re-broadcast all mDNS packets from?eth0?to?eth1?and vice versa.

mDNS repeater can be disabled using?set service mdns repeater disable

UDP broadcast relay

Certain vendors use broadcasts to identify their equipemnt within one ethernet segment. Unfortunately if you split your network with multiple VLANs you loose the ability of identifying your equiment. This is where "UDP broadcast relay" comes into work. It will forward received broadcasts to other configured networks.

Every UDP port which will be forward requires one unique ID. Currently we support 99 IDs!

Forward broadcasts on port 1900 for eth3, eth4 and eth5

set service broadcast-relay id 1 description 'SONOS' set service broadcast-relay id 1 interface 'eth3' set service broadcast-relay id 1 interface 'eth4' set service broadcast-relay id 1 interface 'eth5' set service broadcast-relay id 1 port '1900'

Forward broadcasts on port 6969 for eth3, eth4

set service broadcast-relay id 2 description 'SONOS MGMT' set service broadcast-relay id 2 interface 'eth3' set service broadcast-relay id 2 interface 'eth4' set service broadcast-relay id 2 port '6969'

Each broadcast relay instance can be disabled using?set service broadcast-relay id <n> disable.

In addition you can disable the whole service without removing the configuration by?set service broadcast-relay disable.

?

System Configuration

System Users

As of 1.1.8 release and 1.2.0 release candidates, VyOS support two user privilege levels: admin and operator. However, the operator level is a legacy feature and was proved insecure: any user can escape the restricted shell in multiple easy way. That feature will be removed in future releases, and we do not recommend using it.

?

Creating Login User Accounts

Create user account jsmith, with admin level access and the password "mypassword"

set system login user jsmith full-name "Johan Smith" set system login user jsmith authentication plaintext-password mypassword commit

The command:

show system login

will show the contents of the?system login?configuration node:

user jsmith {authentication {encrypted-password $6$0OQHjuQ8M$AYXVn7jufdfqPrSk4/XXsDBw99JBtNsETkQKDgVLptXogHA2bU9BWlvViOFPBoFxIi.iqjqrvsQdQ./cfiiPT.plaintext-password ""}full-name "Johan Smith"level admin }

Configuring for SSH Access using Shared Public Keys

The following command will load the public key dev.pub for user jsmith

loadkey jsmith dev.pub

Note:?this requires uploading the dev.pub public key to the vyos firewall first. As an alternative you can also load the ssh public key directly from a remote system:

loadkey jsmith scp://devuser@dev001.vyos.net/home/devuser/.ssh/dev.pub

IPv6

Advanced IPv6 configuration examples are available on the?IPv6?page.

Clustering

VyOS supports multicast and unicast clustering. Multicast is default and to use the unicast method you can add the peer directive to the interface with the ip of the other cluster member.

In the example below SSH is clustered between two nodes with the unicast method.

cluster {dead-interval 20000group cluster {auto-failback falseprimary vyossecondary vyos2service sshservice 192.168.0.123/24/eth0}interface eth0 {peer 192.168.0.121}keepalive-interval 5000monitor-dead-interval 20000pre-shared-secret S3cr#t }

System Image Management

The VyOS image-based installation is implemented by creating a directory for each image on the storage device selected during the install process.

The directory structure of the boot device:

//boot/boot/grub/boot/VyOS_999.hydrogen.11291501

The image directory contains the system kernel, a compressed image of the root filesystem for the OS, and a directory for persistent storage, such as configuration.

On boot, the system will extract the OS image into memory and mount the appropriate live-rw sub-directories to provide persistent storage system configuration.

This process allows for a system to always boot to a known working state, as the OS image is fixed and non-persistent. It also allows for multiple releases of VyOS to be installed on the same storage device.

The image can be selected manually at boot if needed, but the system will otherwise boot the image configured to be the default.

The default boot image can be set using the?set system image default-boot?command in operational mode.

A list of available images can be shown using the?show system image?command in operational mode.

vyos@vyos:~$ show system image The system currently has the following image(s) installed: 1: 999.hydrogen.12130649 (default boot) (running image)2: 999.hydrogen.12100644 vyos@vyos:~$

Images no longer needed can be removed using the?delete system image?command.

Finally, new system images can be added using the?add system image?command. The add image command will extract the image from the release ISO (either on the local filesystem or remotely if a URL is provided). The image install process will prompt you to use the current system configuration and SSH security keys, allowing for the new image to boot using the current configuration.

Note that configuration is associated to each image, and each image has a unique copy of its configuration. This is different than a traditional network router where the configuration is shared across all images.

If you need some files from a previous images - take a look inside a /live directory.

Troubleshooting

Sometimes things break or don't work as expected. This section describes several troubleshooting tools provided by VyOS that can help when something goes wrong.

Basic Connectivity Verification

Verifying connectivity can be done with the familiar?ping?and?traceroute?commands. The options for each are shown (the options for each command were displayed using the built-in help as described in the?Using the Command-Line Interface?section and are omitted from the output here):

vyos@vyos:~$ ping Possible completions:<hostname> Send Internet Control Message Protocol (ICMP) echo request<x.x.x.x><h:h:h:h:h:h:h:h> vyos@vyos:~$

Several options are available when more extensive troubleshooting is needed:

vyos@vyos:~$ ping 8.8.8.8 Possible completions:<Enter> Execute the current commandadaptive Ping optionsallow-broadcastaudiblebypass-routecountdeadlinefloodinterfaceintervalmarkno-loopbacknumericpatternquietrecord-routesizetimestamptosttlverbose vyos@vyos:~$ vyos@vyos:~$ traceroute Possible completions:<hostname> Track network path to specified node<x.x.x.x><h:h:h:h:h:h:h:h>ipv4 Track network path to <hostname|IPv4 address>ipv6 Track network path to <hostname|IPv6 address> vyos@vyos:~$

However, another tool,?mtr, is available which combines ping and traceroute into a single tool. An example of its output is shown:

vyos@vyos:~$ mtr 10.62.212.12

The output of?mtr?consumes the screen and will replace your command prompt:

My traceroute [v0.75] vyos (0.0.0.0) Fri Feb 24 14:28:08 2017 Keys: Help Display mode Restart statistics Order of fields quitPackets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. 10.11.110.4 0.0% 34 0.5 0.5 0.4 0.8 0.1 2. 10.62.255.184 0.0% 34 1.1 1.0 0.9 1.4 0.1 3. 10.62.255.71 0.0% 34 1.4 1.4 1.3 2.0 0.1 4. 10.62.212.12 0.0% 34 1.6 1.6 1.6 1.7 0.0

Several options are available for changing the display output. Press?h?to invoke the built in help system. To quit, just press?q?and you'll be returned to the VyOS command prompt.

Monitoring Network Interfaces

It's possible to monitor network traffic, either at the flow level or protocol level. This can be useful when troubleshooting a variety of protocols and configurations. The following interface types can be monitored:

vyos@vyos:~$ monitor interfaces Possible completions:<Enter> Execute the current commandbonding Monitor a bonding interfacebridge Monitor a bridge interfaceethernet Monitor a ethernet interfaceloopback Monitor a loopback interfaceopenvpn Monitor an openvpn interfacepppoe Monitor pppoe interfacepseudo-ethernetMonitor a pseudo-ethernet interfacetunnel Monitor a tunnel interfacevrrp Monitor a vrrp interfacevti Monitor a vti interfacewireless Monitor wireless interface vyos@vyos:~$

To monitor traffic flows, issue the?monitor interfaces <type> <name> flow?command, replacing?<type>?and?<name>?with your desired interface type and name, respectively. Output looks like the following:

12.5Kb 25.0Kb 37.5Kb 50.0Kb 62.5Kb ???????????????????????????????????????????????????????????????????????????????????????????????????? 10.11.111.255 => 10.11.110.37 0b 0b 0b<= 624b 749b 749b 10.11.110.29 => 10.62.200.11 0b 198b 198b<= 0b 356b 356b 255.255.255.255 => 10.11.110.47 0b 0b 0b<= 724b 145b 145b 10.11.111.255 => 10.11.110.47 0b 0b 0b<= 724b 145b 145b 10.11.111.255 => 10.11.110.255 0b 0b 0b<= 680b 136b 136b ???????????????????????????????????????????????????????????????????????????????????????????????????? TX: cumm: 26.7KB peak: 40.6Kb rates: 23.2Kb 21.4Kb 21.4Kb RX: 67.5KB 63.6Kb 54.6Kb 54.0Kb 54.0Kb TOTAL: 94.2KB 104Kb 77.8Kb 75.4Kb 75.4Kb

Several options are available for changing the display output. Press?h?to invoke the built in help system. To quit, just press?q?and you'll be returned to the VyOS command prompt.

To monitor interface traffic, issue the?monitor interfaces <type> <name> traffic?command, replacing?<type>?and?<name>?with your desired interface type and name, respectively. This command invokes the familiar?tshark?utility and the following options are available:

vyos@vyos:~$ monitor interfaces ethernet eth0 traffic Possible completions:<Enter> Execute the current commanddetail Monitor detailed traffic for the specified ethernet interfacefilter Monitor filtered traffic for the specified ethernet interfacesave Save monitored traffic to a fileunlimited Monitor traffic for the specified ethernet interface vyos@vyos:~$

To quit monitoring, press?Ctrl-c?and you'll be returned to the VyOS command prompt. The?detail?keyword provides verbose output of the traffic seen on the monitored interface. The?filter?keyword accepts valid?PCAP filter expressions, enclosed in single or double quotes (e.g. 'port 25' or "port 161 and udp"). The?save?keyword allows you to save the traffic dump to a file. The?unlimited?keyword is used to specify that an unlimited number of packets can be captured (by default, 1,000 packets are captured and you're returned to the VyOS command prompt).

?

==================== End

?

轉載于:https://www.cnblogs.com/lsgxeva/p/9999873.html

總結

以上是生活随笔為你收集整理的vyos User Guide的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。