@tjh Any updates?
By the way there is a new option
vyos@r4# set service conntrack-sync disable-syslog [edit] vyos@r4#
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Apr 9 2024
Apr 9 2024
https://conntrack-tools.netfilter.org/manual.html#sync-aa
conntrackd allows you to deploy an symmetric Active-Active setup based on a static approach. For example, assume that you have two virtual IPs, vIP1 and vIP2, and two firewall replicas, FW1 and FW2. You can give the virtual vIP1 to the firewall FW1 and the vIP2 to the FW2.
n.fort changed the status of T6216: Firewall group names that contain the '+' character break the config from Open to Confirmed.
n.fort added a comment to T6213: Validations in firewall groups mistakenly reject correct configurations.
Giggum updated the task description for T6123: Limit NTP allow-client config to internal addresses by default.
Giggum updated the task description for T6123: Limit NTP allow-client config to internal addresses by default.
Apr 8 2024
Apr 8 2024
Giggum added a comment to T6099: Suppress unsupported interfaces from appearing in messages log by Telegraf .
In T6099#182627, @Viacheslav wrote:@Giggum Can you check it in 1.5?
Yeah sure thing I can do that. Will I be able to roll back from the latest 1.5 to the version of 1.4 rolling I’m on after testing is complete or will the config mess up?
n.fort moved T6068: Support active-active and active-passive high availability modes in DHCP server from Need Triage to Finished on the VyOS 1.5 Circinus board.
n.fort moved T6068: Support active-active and active-passive high availability modes in DHCP server from Need Triage to Finished on the VyOS 1.4 Sagitta board.
n.fort changed the status of T6213: Validations in firewall groups mistakenly reject correct configurations from Open to In progress.
Apr 7 2024
Apr 7 2024
Viacheslav added a project to T5169: Add CGNAT Carrier-Grade NAT based on nftables: VyOS 1.5 Circinus.
c-po closed T6205: ipoe: error in migration script logic while renaming mac-address to mac, a subtask of T5938: Migration fail root task for 1.4-rc, as Resolved.
Viacheslav changed the status of T1641: VRRP conntrack-sync dropping packets passing through the router from Open to Needs reporter action.
@Daya @trae32566 Any updates?
Viacheslav added a comment to T5966: Adjust dynamic dns configuration address subpath to be more intuitive and other op-mode adjustments.
@indrajitr Can we close it?
@indrajitr Can we close it?
Viacheslav changed the status of T4588: BGP Peer Group Scaling issues from Open to Needs reporter action.
Viacheslav closed T6039: cloud-init DNS search-domain causes configuration migration/validation error, a subtask of T5907: cloud-init root task for 1.5 and 1.4 , as Resolved.
Viacheslav added a subtask for T5907: cloud-init root task for 1.5 and 1.4 : T6112: Cloud Init Ordering Incorrect.
Viacheslav added a parent task for T6112: Cloud Init Ordering Incorrect: T5907: cloud-init root task for 1.5 and 1.4 .
Viacheslav added a comment to T6099: Suppress unsupported interfaces from appearing in messages log by Telegraf .
@Giggum Can you check it on 1.5?
It is easy to add
In FRR it looks like:
r4(config-rpki)# rpki cache 192.0.2.1 8888 SSH_UNAME SSH user name preference Preference of the cache server source Configure source IP address of RPKI connection
PoC PR https://github.com/vyos/vyos-1x/pull/3274
set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1'
For me personally this change makes sense: a router has multiple interfaces, the Source IP is selected in different ways, and especially for RPKI servers outside the network (public ones), this could even break connectivity. Vendors like Juniper had this issue and eventually added the option, which means probably VyOS will benefit too, especially since "it's just setting a value in FRR's config"™ (famous last words ;).
Yes and no. Even before I created this ticket, I tried a small test locally. Unfortunately, I was not able to get the tests to run (even without my changes).
@Loremo I think this contribution would be valuable. Have you made any progress with your PR?
Great 😃
Hi -- this works. The VTI interface is just another interface so you can add it to a firewall zone just as you would an Ethernet interface. This can be done with existing site-to-site ipsec VTIs today. I also do it with OpenVPN interfaces for remote access on some of my installations.
This would be really useful. As per: https://forum.vyos.io/t/other-than-console-how-to-pass-grub-parameter-pcie-aspm-off/14203
Apr 6 2024
Apr 6 2024
jestabro closed T6203: Remove references to the obsolete vyos.xml module (superseded by vyos.xml_ref), a subtask of T5218: Revise vyos xml lib for bug fixes and extensions, as Resolved.
theflakes updated the task description for T6210: Support configuring sys-nice capability for containers.
Apr 5 2024
Apr 5 2024
jestabro changed the status of T6203: Remove references to the obsolete vyos.xml module (superseded by vyos.xml_ref), a subtask of T5218: Revise vyos xml lib for bug fixes and extensions, from Open to Backport candidate.
jestabro changed the status of T6203: Remove references to the obsolete vyos.xml module (superseded by vyos.xml_ref), a subtask of T5319: Remove remaining workarounds for incorrect defaults, from Open to Backport candidate.
c-po closed T6089: [1.3.6->1.4.0-epa1 Migration] "ospf passive-interface default" incorrectly added, a subtask of T5938: Migration fail root task for 1.4-rc, as Resolved.
n.fort changed the status of T6205: ipoe: error in migration script logic while renaming mac-address to mac, a subtask of T5938: Migration fail root task for 1.4-rc, from Open to Confirmed.
natali-rs1985 changed the status of T1244: Add support for StartupResync in conntrack-sync from Open to In progress.
about vyos-1x:
current and sagitta don't use distutils, I found this only for equuleus
https://github.com/vyos/vyos-1x/blob/ae96118ec38c4064552889aea5e50023a66aac1e/src/conf_mode/nat.py#L21
https://github.com/vyos/vyos-1x/blob/ae96118ec38c4064552889aea5e50023a66aac1e/smoketest/scripts/cli/test_system_login.py#L23
We are currently using FRR segment routing set protocols segment-routing srv6
For now, it could be closed
fix for vyos-build: https://github.com/vyos/vyos-build/pull/549
Apr 4 2024
Apr 4 2024
dmbaturin added projects to T5022: VRRP add mail notification: VyOS 1.5 Circinus, Restricted Project.
dmbaturin added a project to T4564: Root task for rewriting [op-mode] to vyos.opmode format: VyOS 1.5 Circinus.
dmbaturin added a project to T4406: Make an API endpoint for for anonymous host info retrieval (e.g. by a login page): Restricted Project.
dmbaturin added a project to T4393: sstp: add support for configuring host-name (SNI): Restricted Project.
dmbaturin edited projects for T4318: Add delete_tag to configtree.py, added: Restricted Project, VyOS 1.5 Circinus; removed VyOS 1.3 Equuleus (1.3.7).
dmbaturin removed a project from T3843: l2tp configuration not cleared after delete: VyOS 1.3 Equuleus (1.3.7).
They are signed with minisign now.
dmbaturin added a project to T6144: Update system image without enough space for the files can to break the system: Restricted Project.
dmbaturin closed T6139: Fix generate qcow2 from iso got error on repo https://github.com/vyos/vyos-vm-images as Wontfix.
This will be handled by the redesigned flavor system soon (T3664).
c-po changed the status of T6089: [1.3.6->1.4.0-epa1 Migration] "ospf passive-interface default" incorrectly added, a subtask of T5938: Migration fail root task for 1.4-rc, from Open to In progress.
HollyGurza changed the status of T6166: Allow the user to specify tech support report output location from Open to In progress.
Apr 3 2024
Apr 3 2024
Just wondering - is it possible to add a vti interface to a zone in the firewall?
How would one go about using this with the zone based firewall? 🙂
Does anyone have any thoughts on the best place to start adding this functionality / design ideas for this feature?
n.fort added a comment to T6068: Support active-active and active-passive high availability modes in DHCP server.
PR for Sagitta: https://github.com/vyos/vyos-1x/pull/3239
Try with:
Apr 2 2024
Apr 2 2024
Related to https://vyos.dev/T6080
c-po moved T6198: configverify: add common helper for PKI certificate validation from Need Triage to Finished on the VyOS 1.5 Circinus board.
fernando added a comment to T6151: BGP VRF route-leaking does not work when the next-hop is a recursive route.
this new command was merge in order to solved this problem :
vyos@vrf-test:~$ show configuration commands | match disable set protocols bgp parameters disable-ebgp-connected-route-check
Apr 1 2024
Apr 1 2024
Always exclude this address from any defined range. This address will never be assigned by the DHCP server.
Ok, it will exclude in any range.
Forget about it
@ServerForge It is question for hsflowd
You can open the issue on their git repo
Its no longer failing to start, but it seems to be only capturing inbound traffic on the tunnel, no outbound. I'm also observing this behavior on vlan interfaces, IE bond0.10.
Mar 31 2024
Mar 31 2024
Proposed CLI:
set nat cgnat pool external <external> range 192.0.2.0/30 seq 1 set nat cgnat pool external <external> range 192.0.2.128-192.0.2.132 seq 2 set nat cgnat pool external <external> per-user-limit port 1024 set nat cgnat pool external <external> global-port-range 1024-65535 set nat cgnat pool internal <internal> range 100.64.1.0/24