Page MenuHomeVyOS Platform

Successful upgrade 1.2.x to 1.3.0-rc - configuration used
Closed, ResolvedPublic

Description

There is no way to opt in for metrics for VyOS maintainers. So as discussed on slack, it might be useful for maintainers to know when 1.2.x to 1.3.0 upgrades go well. What configuration elements are used etc.
Here is my sanitized configuration. Everything went well. Multiple reboots.

The only diff I see in my configuration is that

set interfaces ethernet eth1 smp-affinity 'auto'
set system login user xxx level 'admin'

are not there after upgrade - which I suppose it expected.

This is the working configuration after upgrading from 1.2.7 to 1.3.0-rc4

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group network-group VPN-LAN network 'xxx.xxx.117.96/27'
set firewall group network-group WEB-HOSTS network 'xxx.xxx.x.x/32'
set firewall group network-group WEB-HOSTS network 'xxx.xxx.x.x/32'
set firewall group port-group DHCP-PORTS port '67-68'
set firewall group port-group SSH-PORTS port '22'
set firewall group port-group TFTPD-PORTS port '69'
set firewall group port-group WEB-PORTS port '80'
set firewall group port-group WEB-PORTS port '443'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name OUT-DC-LAN default-action 'drop'
set firewall name OUT-DC-LAN rule 10 action 'accept'
set firewall name OUT-DC-LAN rule 10 description 'ICMP'
set firewall name OUT-DC-LAN rule 10 protocol 'icmp'
set firewall name OUT-DC-LAN rule 220 action 'accept'
set firewall name OUT-DC-LAN rule 220 description 'VPN-LAN to DC-LAN'
set firewall name OUT-DC-LAN rule 220 destination group network-group 'DC-LAN'
set firewall name OUT-DC-LAN rule 220 source group network-group 'VPN-LAN'
set firewall name OUT-DC-LAN rule 310 action 'accept'
set firewall name OUT-DC-LAN rule 310 description 'CORP-NET to TFTPD-HOSTS'
set firewall name OUT-DC-LAN rule 310 destination group network-group 'TFTPD-HOSTS'
set firewall name OUT-DC-LAN rule 310 destination group port-group 'TFTPD-PORTS'
set firewall name OUT-DC-LAN rule 310 protocol 'udp'
set firewall name OUT-DC-LAN rule 310 source group network-group 'ALLOWED-NETWORKS'
set firewall name OUT-DC-LAN rule 9999 action 'drop'
set firewall name OUT-DC-LAN rule 9999 description 'Drop all and log'
set firewall name OUT-DC-LAN rule 9999 log 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall state-policy established action 'accept'
set firewall state-policy invalid action 'drop'
set firewall state-policy invalid log enable
set firewall state-policy related action 'accept'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id 'XX:XX:XX:XX:XX:13'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth0 vif 42 address 'xxx.xxx.x.x/27'
set interfaces ethernet eth0 vif 42 address 'xxx.xxx.x.x/32'
set interfaces ethernet eth0 vif 42 address 'xxx.xxx.x.x/32'
set interfaces ethernet eth0 vif 42 address 'xxx.xxx.x.x/32'
set interfaces ethernet eth0 vif 42 address 'xxx.xxx.x.x/32'
set interfaces ethernet eth0 vif 42 description 'out side'
set interfaces ethernet eth0 vif 42 firewall in name 'IN-ETH0'
set interfaces ethernet eth0 vif 42 firewall out name 'OUT-ETH0'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id 'XX:XX:XX:XX:XX:27'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth1 vif 1728 address 'xxx.xxx.160.228/29'
set interfaces ethernet eth1 vif 1728 description 'SERVICES-LINK'
set interfaces ethernet eth1 vif 1728 firewall in name 'IN-SERVICE'
set interfaces ethernet eth1 vif 1728 firewall out name 'OUT-SERVICE'
set interfaces ethernet eth1 vif 1805 address 'xxx.xxx.253.1/24'
set interfaces ethernet eth1 vif 1805 description '12345-DC-LAN'
set interfaces ethernet eth1 vif 1805 firewall out name 'OUT-DC-LAN'
set interfaces ethernet eth1 vif 1805 ip source-validation 'strict'
set interfaces ethernet eth1 vif 1806 address 'xxx.xxx.31.241/29'
set interfaces ethernet eth1 vif 1806 description '12345-LINK'
set interfaces ethernet eth1 vif 1806 firewall out name 'OUT-LINK'
set interfaces ethernet eth1 vif 1806 ip ospf dead-interval '40'
set interfaces ethernet eth1 vif 1806 ip ospf hello-interval '10'
set interfaces ethernet eth1 vif 1806 ip ospf priority '1'
set interfaces ethernet eth1 vif 1806 ip ospf retransmit-interval '5'
set interfaces ethernet eth1 vif 1806 ip ospf transmit-delay '1'
set interfaces ethernet eth1 vif 1806 ip source-validation 'disable'
set interfaces ethernet eth1 vif 1809 address 'xxx.xxx.252.1/24'
set interfaces ethernet eth1 vif 1809 description '12345-DC-LAN2'
set interfaces ethernet eth1 vif 1809 ip source-validation 'strict'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id 'XX:XX:XX:XX:XX:ec'
set interfaces ethernet eth2 speed 'auto'
set interfaces input ifb042 description 'WAN-IN'
set interfaces input ifb042 traffic-policy out 'WAN-IN'
set interfaces loopback lo address 'xxx.xxx.255.26/32'
set interfaces loopback lo ip
set interfaces tunnel tun0 address 'xxx.xxx.1.113/29'
set interfaces tunnel tun0 description 'IPSEC-GRE'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip 'xxx.xxx.255.26'
set interfaces tunnel tun0 mtu '1414'
set interfaces tunnel tun0 multicast 'disable'
set interfaces tunnel tun0 remote-ip 'xxx.xxx.32.54'
set nat destination rule 21 destination address 'xxx.xxx.222.248'
set nat destination rule 21 inbound-interface 'any'
set nat destination rule 21 translation address 'xxx.xxx.253.21'
set nat destination rule 22 destination address 'xxx.xxx.222.249'
set nat destination rule 22 inbound-interface 'any'
set nat destination rule 22 translation address 'xxx.xxx.253.22'
set nat source rule 10 description '12345v-app001'
set nat source rule 10 destination address 'xxx.xxx.10.66'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface 'eth0.42'
set nat source rule 10 source address 'xxx.xxx.253.21/32'
set nat source rule 11 description '12345v-app001'
set nat source rule 11 destination address 'xxx.xxx.243.194'
set nat source rule 11 exclude
set nat source rule 11 outbound-interface 'eth0.42'
set nat source rule 11 source address 'xxx.xxx.253.21/32'
set nat source rule 21 description '12345v-app001'
set nat source rule 21 outbound-interface 'eth0.42'
set nat source rule 21 source address 'xxx.xxx.253.21/32'
set nat source rule 21 translation address 'xxx.xxx.222.248'
set nat source rule 22 description '12345v-app001'
set nat source rule 22 outbound-interface 'eth0.42'
set nat source rule 22 source address 'xxx.xxx.253.22/32'
set nat source rule 22 translation address 'xxx.xxx.222.249'
set nat source rule 50 description '12345-DC-LAN'
set nat source rule 50 outbound-interface 'eth0.42'
set nat source rule 50 source address 'xxx.xxx.253.0/24'
set nat source rule 50 translation address 'xxx.xxx.220.47'
set nat source rule 51 description '12345-LINK'
set nat source rule 51 outbound-interface 'eth0.42'
set nat source rule 51 source address 'xxx.xxx.31.240/29'
set nat source rule 51 translation address 'xxx.xxx.220.47'
set nat source rule 52 description '12345-Kontor'
set nat source rule 52 outbound-interface 'eth0.42'
set nat source rule 52 source address 'xxx.xxx.179.0/24'
set nat source rule 52 translation address 'xxx.xxx.220.47'
set policy prefix-list NETS-12345 rule 10 action 'permit'
set policy prefix-list NETS-12345 rule 10 prefix 'xxx.xxx.179.0/24'
set policy prefix-list NETS-12345 rule 20 action 'permit'
set policy prefix-list NETS-12345 rule 20 prefix 'xxx.xxx.253.0/24'
set policy prefix-list NETS-12345 rule 21 action 'permit'
set policy prefix-list NETS-12345 rule 21 prefix 'xxx.xxx.252.0/24'
set policy route-map TO-CPE002 rule 10 action 'permit'
set policy route-map TO-CPE002 rule 10 match ip address prefix-list 'NETS-12345'
set policy route-map TO-CPE002 rule 10 set ip-next-hop 'xxx.xxx.1.113'
set protocols bgp XXXXXX address-family ipv4-unicast network xxx.xxx.252.0/23
set protocols bgp XXXXXX address-family ipv4-unicast network xxx.xxx.253.0/24
set protocols bgp XXXXXX neighbor xxx.xxx.1.114 address-family ipv4-unicast nexthop-self
set protocols bgp XXXXXX neighbor xxx.xxx.1.114 address-family ipv4-unicast route-map export 'TO-CPE002'
set protocols bgp XXXXXX neighbor xxx.xxx.1.114 address-family ipv4-unicast route-reflector-client
set protocols bgp XXXXXX neighbor xxx.xxx.1.114 remote-as '4200012345'
set protocols bgp XXXXXX neighbor xxx.xxx.31.242 address-family ipv4-unicast nexthop-self
set protocols bgp XXXXXX neighbor xxx.xxx.31.242 address-family ipv4-unicast route-reflector-client
set protocols bgp XXXXXX neighbor xxx.xxx.31.242 remote-as '4200012345'
set protocols bgp XXXXXX parameters log-neighbor-changes
set protocols ospf area xxx.xxx.0.0 network 'xxx.xxx.0.0/16'
set protocols ospf area xxx.xxx.31.240 area-type nssa no-summary
set protocols ospf area xxx.xxx.31.240 area-type nssa translate 'candidate'
set protocols ospf area xxx.xxx.31.240 network 'xxx.xxx.31.240/29'
set protocols ospf area xxx.xxx.31.240 network 'xxx.xxx.253.0/24'
set protocols ospf log-adjacency-changes detail
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id 'xxx.xxx.255.26'
set protocols ospf passive-interface 'eth0.42'
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.220.33
set protocols static route xxx.xxx.216.0/24 next-hop xxx.xxx.33.2
set service lldp interface eth1.1806
set service snmp community xxx authorization 'ro'
set service snmp v3 engineid '80001f88802b0df211186b725600000000'
set service ssh listen-address 'xxx.xxx.255.26'
set service ssh port '22'
set system config-management commit-revisions '20'
set system conntrack expect-table-size '2048'
set system conntrack hash-size '32768'
set system conntrack modules nfs disable
set system conntrack modules sqlnet disable
set system conntrack table-size '262144'
set system conntrack tcp half-open-connections '4096'
set system conntrack tcp loose 'enable'
set system conntrack tcp max-retrans '3'
set system console device ttyS0 speed '9600'
set system domain-name xxxxxx
set system flow-accounting interface 'eth1.1806'
set system flow-accounting interface 'eth0.42'
set system flow-accounting interface 'eth1.1728'
set system flow-accounting interface 'eth1.1805'
set system flow-accounting netflow sampling-rate '10'
set system flow-accounting netflow server xxxxx.tld port '4739'
set system flow-accounting netflow source-ip 'xxx.xxx.255.26'
set system flow-accounting netflow version '10'
set system flow-accounting syslog-facility 'daemon'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx authentication public-keys [email protected] key xxxxxx
set system login user xxxxxx authentication public-keys [email protected] type ssh-xxx
set system login user xxxxxx full-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx authentication public-keys [email protected] key xxxxxx
set system login user xxxxxx authentication public-keys [email protected] type ssh-xxx
set system login user xxxxxx authentication public-keys [email protected] key xxxxxx
set system login user xxxxxx authentication public-keys [email protected] type ssh-xxx
set system login user xxxxxx full-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx full-name xxxxxx
set system name-server 'xxx.xxx.x.x'
set system name-server 'xxx.xxx.x.x'
set system ntp server xxxxx.tld
set system syslog global facility all level 'all'
set system syslog host xxx.xxx.x.12 facility all level 'all'
set system syslog host xxx.xxx.x.12 facility all protocol 'udp'
set system syslog host xxx.xxx.x.12 port '1521'
set system time-zone 'Europe/Oslo'
set traffic-policy shaper WAN-IN bandwidth '9999Mbit'
set traffic-policy shaper WAN-IN class 10 bandwidth '5%'
set traffic-policy shaper WAN-IN class 10 burst '1kb'
set traffic-policy shaper WAN-IN class 10 ceiling '6%'
set traffic-policy shaper WAN-IN class 10 match CUST ip destination address 'xxx.xxx.179.0/24'
set traffic-policy shaper WAN-IN class 10 queue-type 'fair-queue'
set traffic-policy shaper WAN-IN default bandwidth '100%'
set traffic-policy shaper WAN-IN default burst '15k'
set traffic-policy shaper WAN-IN default ceiling '100%'
set traffic-policy shaper WAN-IN default queue-type 'fair-queue'
set traffic-policy shaper WAN-OUT bandwidth '9999Mbit'
set traffic-policy shaper WAN-OUT class 10 bandwidth '50Mbit'
set traffic-policy shaper WAN-OUT class 10 burst '15k'
set traffic-policy shaper WAN-OUT class 10 match CUST ip source address 'xxx.xxx.179.0/24'
set traffic-policy shaper WAN-OUT class 10 queue-type 'fair-queue'
set traffic-policy shaper WAN-OUT default bandwidth '50%'
set traffic-policy shaper WAN-OUT default burst '15k'
set traffic-policy shaper WAN-OUT default ceiling '100%'
set traffic-policy shaper WAN-OUT default queue-type 'fair-queue'
set vpn ipsec esp-group home_ESP compression 'disable'
set vpn ipsec esp-group home_ESP lifetime '3600'
set vpn ipsec esp-group home_ESP mode 'tunnel'
set vpn ipsec esp-group home_ESP pfs 'dh-group21'
set vpn ipsec esp-group home_ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group home_ESP proposal 1 hash 'sha1'
set vpn ipsec esp-group unifi_ESP compression 'disable'
set vpn ipsec esp-group unifi_ESP lifetime '3600'
set vpn ipsec esp-group unifi_ESP mode 'tunnel'
set vpn ipsec esp-group unifi_ESP pfs 'enable'
set vpn ipsec esp-group unifi_ESP proposal 1 encryption 'aes128'
set vpn ipsec esp-group unifi_ESP proposal 1 hash 'sha1'
set vpn ipsec ike-group home_IKE close-action 'none'
set vpn ipsec ike-group home_IKE ikev2-reauth 'no'
set vpn ipsec ike-group home_IKE key-exchange 'ikev2'
set vpn ipsec ike-group home_IKE lifetime '28800'
set vpn ipsec ike-group home_IKE proposal 1 dh-group '21'
set vpn ipsec ike-group home_IKE proposal 1 encryption 'aes128'
set vpn ipsec ike-group home_IKE proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0.42'
set vpn ipsec site-to-site peer @12345p-cpe002 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer @12345p-cpe002 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer @12345p-cpe002 authentication remote-id '12345p-cpe002'
set vpn ipsec site-to-site peer @12345p-cpe002 connection-type 'respond'
set vpn ipsec site-to-site peer @12345p-cpe002 default-esp-group 'home_ESP'
set vpn ipsec site-to-site peer @12345p-cpe002 description 'To CUST home'
set vpn ipsec site-to-site peer @12345p-cpe002 ike-group 'home_IKE'
set vpn ipsec site-to-site peer @12345p-cpe002 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer @12345p-cpe002 local-address 'xxx.xxx.220.47'
set vpn ipsec site-to-site peer @12345p-cpe002 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer @12345p-cpe002 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer @12345p-cpe002 tunnel 1 local prefix 'xxx.xxx.255.26/32'
set vpn ipsec site-to-site peer @12345p-cpe002 tunnel 1 remote prefix 'xxx.xxx.32.54/32'

Details

Difficulty level
Unknown (require assessment)
Version
1.2.7 to 1.3.0-rc4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)