@initramfs can we close this?
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Dec 11 2022
vyos@vyos# show interfaces sstpc sstpc sstpc10 { authentication { password vyos user vyos } server sstp.vyos.net ssl { ca-certificate VyOS-CA } }
Hi,
same issue on VyOS 1.4-rolling-202212090319
Dec 10 2022
Dec 9 2022
Started a PR for this: https://github.com/vyos/vyos-1x/pull/1702
PR with fix is here: https://github.com/vyos/vyatta-cfg-firewall/pull/35
@klase It is already in the latest rolling release. Could you re-check?
This works,
but if this is the new syntax the cli needs some cleanup.
According to this https://forum.vyos.io/t/vagrant-auth-failure-on-new-vagrant-images/9871/2
This issue is due to T874.
My understanding is that is not changeable, so my proposal is to add the "vagrant insecure key" for the vyos user during the vagrant box creation.
use the next syntax
show bgp ipv4 neighbors x.x.x.x advertised-routes
Dec 8 2022
PR for show/reset functions:
https://github.com/vyos/vyos-1x/pull/1699
fix for 1.4 PR https://github.com/vyos/vyos-1x/pull/1698
vyos@r14# cat /run/accel-pppd/l2tp.conf | grep dae-s dae-server=127.0.0.1:1700,testing123 [edit] vyos@r14#
Dec 7 2022
I can confirm the firewall errors are fixed in the newest rolling VyOS 1.4-rolling-202212070318
Yes they are. 192.168.101.10 - is an ip of vpn remote access subscriber. He's connected to interface l2tp0 (accel-ppp). And i'm just trying to open tcp connection to port 80 on client from peer node.
@aserkin Thanks
Do l2tp clients in the network 192.168.101.x ? And you are trying to connect to some web resource behind l2tp?
The firewall settings does not seem to catch the traffic going out of l2tp* interfaces.
admin@vyos-lns-1:~$ show config commands |grep firewall set firewall interface l2tp* out name 'nodefw' set firewall log-martians 'disable' set firewall name nodefw rule 100 action 'accept' set firewall name nodefw rule 100 protocol 'tcp' set firewall name nodefw rule 100 tcp flags syn set firewall name nodefw rule 100 tcp mss '1300'
Oops. Thank you Nicolas.
Suddenly found myself far behind the current rolling release. Will upgrade first.
I have made the change in my configuration and tested as many configuration changes as I could (I have not tested radius authentication, and other options that are not valid in my setup) and it seems to work with this change without any unwanted side effects.
Dec 6 2022
@dmbaturin It shows only IPv4 routes
Could you also add IPv6?
Should be fixed in T4794
Check please the newest version
@aserkin . Viacheslav commands are present in more recent nighly builds.
Try with one of the latests images.
There's no
set firewall interface
option here:
admin@vyos-lns-1:~$ show version
Version: VyOS 1.4-rolling-202209131208
@klase could you make some changes?
sudo nano -c +253 /usr/libexec/vyos/conf_mode/vpn_openconnect.py
and change
call('systemctl restart ocserv.service')
to:
call('systemctl reload-or-restart ocserv.service')
Does it do the same?
set firewall interface l2tp* out name 'FOO' set firewall name FOO rule 10 action 'accept' set firewall name FOO rule 10 protocol 'tcp' set firewall name FOO rule 10 tcp flags syn set firewall name FOO rule 10 tcp mss '1300'
nft
table ip vyos_filter { chain VYOS_FW_FORWARD { type filter hook forward priority filter; policy accept; oifname "l2tp*" counter packets 0 bytes 0 jump NAME_FOO jump VYOS_POST_FW } ... chain NAME_FOO { tcp flags & syn == syn tcp option maxseg size 1300 counter packets 0 bytes 0 return comment "FOO-10" counter packets 0 bytes 0 drop comment "FOO default-action drop" } }
CNI Plugins compatible with nftables https://github.com/greenpau/cni-plugins/
Dec 5 2022
@klase will be fixed in the next rolling release
Dec 4 2022
Dec 3 2022
PR to fix recursion check: https://github.com/vyos/vyos-1x/pull/1691