PR https://github.com/vyos/vyos-1x/pull/1131
vyos@r11-roll:~$ show firewall group Possible completions: <Enter> Execute the current command FOO Show firewall group FOO2 NETV6 PORTGRP
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Jan 4 2022
Jan 4 2022
Unknown Object (User) renamed T4085: Rewrite L2TP/PPTP/SSTP/PPPoE services to get_config_dict from Rewrite l2tp/pptp remote access to get_config_dict to Rewrite L2TP/PPTP/SSTP/PPPoE services to get_config_dict.
Viacheslav renamed T4134: Incorrect firewall protocol completion help uppercase and duplicates from Some firewall protocol completion help in uppercase to Incorrect firewall protocol completion help uppercase and duplicates.
Viacheslav changed the status of T4134: Incorrect firewall protocol completion help uppercase and duplicates from Open to In progress.
Viacheslav renamed T4138: NAT configuration allows to set incorrect port range and invalid port from NAT configuration allows to set incorrect port range to NAT configuration allows to set incorrect port range and invalid port.
Viacheslav renamed T4137: Firewall group configuration allows to set incorrect port range and invalid port from Firewall group configuration allows incorrect port range to Firewall group configuration allows to set incorrect port range and invalid port.
Viacheslav updated the task description for T4137: Firewall group configuration allows to set incorrect port range and invalid port.
In 1.3 it looks like just ipset -L:
vyos@r4:~$ show firewall group
Name : FOO2
Type : address
References : none
Members :
203.0.113.3Can you please add output from VyOS 1.3 as reference?
Duplicate of T4130
sarthurdev changed the status of T4130: Firewall state policy errors chain from In progress to Needs testing.
Jan 3 2022
Jan 3 2022
sarthurdev changed the status of T4130: Firewall state policy errors chain from Open to In progress.
Maybe fixed in T4128
Viacheslav renamed T4135: Declare zone policy firewall without local zone errors from Declare zone policy firewall without local zone erros to Declare zone policy firewall without local zone errors.
Viacheslav renamed T4133: Firewall network group error with zone-based firewall rules from Firewall network group error to Firewall network group error with zone-based firewall rules.
To reproduce it should be zone-policy firewall rules, for example:
Comparing the old iptables firewall it will look like this:
Error still present on VyOS 1.4-rolling-202201020317
keepalived was upgraded to include the above mentioned commits.
Viacheslav renamed T4130: Firewall state policy errors chain from Firewall state policy erros chain to Firewall state policy errors chain.
dcplaya added a comment to T4127: Upgrading from pre-certstore image to certstore image does not handle CA files with multiple certs.
I was able to test and get a screenshot of the exact error eapol spits out when using certstore as well.
c-po closed T4128: keepalived: Upgrade package to add VRF support, a subtask of T3924: VRRP stops working with VRF, as Resolved.
Viacheslav changed the status of T4110: [IPV6-SSH/DNS} enable IPv6 link local adresses as listen-address %eth0 from In progress to Needs testing.
Viacheslav changed the status of T4120: [VXLAN] add ability to set multiple unicast-remotes from Open to In progress.
Viacheslav added a comment to T3976: Missing prefix-list and access-list option from ipv6 route-map.
@egoistdream Just check when this feature was merged. It was implemented in FRR 24th of November, but the latest FRR release was 9th of November
https://frrouting.org/release/8.1/
Unknown Object (User) added a comment to T4081: VRRP health-check script stops working when setting up a sync group.
Checked in 1.3-rolling-202201030317, health-check works
Jan 2 2022
Jan 2 2022
egoistdream added a comment to T3976: Missing prefix-list and access-list option from ipv6 route-map.
Still the same on vyos-1.4-rolling-202201020317-amd64.iso
Jan 1 2022
Jan 1 2022
Dec 31 2021
Dec 31 2021
c-po changed the status of T4121: Nameservers from DHCP client cannot be used in specific cases from In progress to Needs testing.
Viacheslav renamed T4126: Ability to set priority to site to site IPSec vpn tunnels from Ability to set priority to site to site IPSec tunnels to Ability to set priority to site to site IPSec vpn tunnels.
Viacheslav changed the status of T4126: Ability to set priority to site to site IPSec vpn tunnels from Open to Needs testing.
It can't be implemented in 1.3, as it doesn't use swanctl.conf for peers configuration
I didn't find this option for ipsec.conf
PR https://github.com/vyos/vyos-1x/pull/1129
set vpn ipsec site-to-site peer 192.0.2.14 tunnel 0 local prefix '172.16.0.0/24' set vpn ipsec site-to-site peer 192.0.2.14 tunnel 0 priority '100' set vpn ipsec site-to-site peer 192.0.2.14 tunnel 0 remote prefix '10.0.0.0/24'
I want to leave a comment , it's also common that customers don't know that PVST is enabled by default (and send bpdu peer VLANS), So it's possible to mitigate it also using nf rules , below leave a example:
Viacheslav updated the task description for T4126: Ability to set priority to site to site IPSec vpn tunnels.
Viacheslav changed the subtype of T4125: Feature Request: bridge STP BPDU translation from "Task" to "Feature Request".
Viacheslav added a comment to T1972: Allow setting interface name for virtual_ipaddress in VRRP VRID.
How about starting with a simple interface and allowing to set interface for binding address?
set high-availability vrrp group foo address 203.0.113.1 interface ethX Possible completions: > ethN Interfcae used to assign virtual address > eth0 > eth1 > eth2
Viacheslav edited projects for T4081: VRRP health-check script stops working when setting up a sync group, added: VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus (1.3.0).
Viacheslav closed T4081: VRRP health-check script stops working when setting up a sync group as Resolved.
c-po triaged T1972: Allow setting interface name for virtual_ipaddress in VRRP VRID as Low priority.
This sounds like a "peer-link" or "heartbeat-link" between two VyOS boxes. I have yet no idea how the CLI could look like, maybe you have one?
Unknown Object (User) created T4125: Feature Request: bridge STP BPDU translation.
Dec 30 2021
Dec 30 2021
c-po moved T3318: Update Linux Kernel to v5.4.208 / 5.10.142 from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
c-po renamed T3318: Update Linux Kernel to v5.4.208 / 5.10.142 from Update Linux Kernel to v5.4.164 / 5.10.88 to Update Linux Kernel to v5.4.169 / 5.10.89.
Unknown Object (User) changed the status of T4117: Does not possible to configure PoD/CoA for L2TP vpn from In progress to Needs testing.
Suggested fix: https://github.com/vyos/vyatta-op/pull/52
Problem (2) with multiple IPv6 remotes fixed.
During multiple tests on my testlab I found two (or three) possible bugs:
1.)
vyos-cli does not prevent to mix IPv4 and IPv6 remotes. Mixing them is not possible with vxlan.
Dec 29 2021
Dec 29 2021
PR to fix the problem: https://github.com/vyos/vyos-1x/pull/1128
It is compatible with both 1.3 and 1.4, so can be cherry-picked from sagitta to equuleus.
jestabro moved T4086: system login banner is not removed on deletion. from Need Triage to Finished on the VyOS 1.4 Sagitta board.
This is a mutability issue: since under vyos-configd the script is loaded as module, global variables persist, however:
The error is received when the input for minutes is provided in three digits.
zsdc changed the status of T4121: Nameservers from DHCP client cannot be used in specific cases from Open to In progress.
@insignia96 Will be present in the next rolling release.
n.fort renamed T2498: Expected error when deleting vif that has dhcp-server configured from Cannot remove interface vif used by dhcpd to Expected error when deleting vif that has dhcp-server configured.
Configuration tested on 1.3 and 1.4 version.
Viacheslav reopened T2498: Expected error when deleting vif that has dhcp-server configured as "Open".
Re-opened as this task regarding dhcp-server, not dhcp-client
PR started:
https://github.com/vyos/vyos-1x/pull/1127
Viacheslav closed T2498: Expected error when deleting vif that has dhcp-server configured as Resolved N/A.
Fixed VyOS 1.3.0:
vyos@r4# run show conf com | match dhcp
set interfaces ethernet eth2 vif 35 address 'dhcp'
[edit]
vyos@r4# run show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 192.168.122.14/24 u/u WAN
eth1 203.0.113.14/24 u/u Lan
192.0.2.14/24
eth2 - u/u
eth2.35 10.0.2.10/24 u/uViacheslav added a project to T2700: Redirecting traffic from PPPoE interface to IFB fails: VyOS 1.4 Sagitta.
To reproduce:
set interfaces ethernet eth2 vif 35 set interfaces pppoe pppoe0 authentication password 'MYPASSWORD' set interfaces pppoe pppoe0 authentication user 'MYUSER' set interfaces pppoe pppoe0 default-route 'force' set interfaces pppoe pppoe0 mtu '1492' set interfaces pppoe pppoe0 redirect 'ifb0' set interfaces pppoe pppoe0 source-interface 'eth2.35' set interfaces pppoe pppoe0 traffic-policy out 'OUT2' set interfaces input ifb0
Commit:
vyos@r11-roll# commit [ interfaces pppoe pppoe0 redirect ifb0 ] Cannot find device "pppoe0" tc qdisc ingress failed at /opt/vyatta/sbin/vyatta-qos.pl line 334.