- User Since
- Mar 4 2019, 8:50 PM (69 w, 2 d)
Mon, Jun 29
Sat, Jun 27
Yes, it is possible not only to detect DoS/DDoS and also to make some reactions and run alert script.
Alert script receives next params:
# $1 client_ip_as_string # $2 data_direction # $3 pps_as_string # $4 action (ban or unban)
@jack9603301 can you explain snort perspectives and describe the difference between? Do you have experience with both IDS?
Wed, Jun 24
Mon, Jun 22
Sun, Jun 21
Works as expected, tested on 1.3-rolling-202006201113
Sat, Jun 20
Thu, Jun 18
Can I propose this do as default but keep the possibility redefine replace option?
Wed, Jun 17
Add PR for rolling https://github.com/vyos/vyos-1x/pull/462
Tue, Jun 16
- Add $INCLUDE dictionary.rfc4849 to /usr/share/accel-ppp/radius/dictionary file
- Add required modules for use ip-pre-up/ip-up/ip-down scripts
[modules] sigchld pppd_compat
And pppd_compat params
[pppd-compat] verbose=1 ip-pre-up=/path/to/ip-pre-up radattr-prefix=/var/run/radattr
- Create ip-pre-up/ip-down script which will get configured firewall names and rules from CLI or supported script
Note: When ip-pre-up return 1 then the session will not start like described in https://tools.ietf.org/html/rfc4849
Does not possible to disable ccp in l2tp
vyos@RTR1# set vpn l2tp remote-access ccp-disable  vyos@RTR1# commit [ vpn l2tp ] VyOS had an issue completing a command.
Mon, Jun 15
I think this is a related task https://phabricator.vyos.net/T2591
Sun, Jun 14
Sat, Jun 13
Fri, Jun 12
Successfully tested on 1.3-rolling-202006120643
Successfully tested on rolling 1.3-rolling-202006120643
Thu, Jun 11
Wed, Jun 10
ipoe daemon allows us to use this possibility. We need to add CLI commands.
set service ipoe-server client-ip-pool name POOL1 subnet 100.64.0.0/24
Radius attribute Framed-Pool.
Tested on VyOS 1.3-rolling-202006101523
SSTP, L2TP and PPPoE work as expected.
As for pptp, needs to create an additional bug report
Tue, Jun 9
In this case, SSTP daemon trying to allocate RAM for ipv6 pool and router does not have enough RAM. Dynamic memory allocation is not implemented for ip-pools.
Maybe, in this case, we need to calculate before commit, and show commit fail message with reason?
2^64 bit = 18446744073709551616 bit or 2305843009213693952 byte
2305843009213693952 * 64 (structure size byte) = 147573952589676412928 byte or 137438953472 GB
Correct me if my calculation wrong.
Mon, Jun 8
Note: gw-ip-address necessary define for [radius] or [chap-secrets] sections.
I think the old interface sequence number can confuse on this device
@c-po these changes will take effect only for the newly installed system, HW-ID in config has more priority.
Sun, Jun 7
May 29 2020
May 28 2020
@zsdc can you try to reproduce this issue on 1.3 rollings or on 1.2.5? I can't reach this behavior.
vyos@vyos# commit [ vpn ] Warning: local prefix 192.168.34.0/24 specified for peer "192.168.50.2" is not configured on any interfaces
Also added the second commit which fixes the path to zebra daemon
May 26 2020
Successfully tested on 1.3-rolling-202005261512, propose to backport it to CRUX.
May 25 2020
Hello @lawrencepan , can you explain, why you need different AS for route-reflector-client?
Can you add your route-maps ROUTE-V4 and 'ROUTER-V6?
PR for this task https://github.com/vyos/libpam-radius-auth/pull/3
I propose to use always source-address as NAS-IP-Address if it defined
Tested successfully on 1.3-rolling-202005250117
vyos@RTR1:~$ show sstp-server sessions ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes --------+----------+------------+-----+--------+-------------+------------+--------+----------+----------+---------- sstp0 | test | 100.64.2.0 | | | x.x.x.x. | | active | 00:01:16 | 27.9 KiB | 80.3 KiB
Tested on 1.3-rolling-202005250117, works as expected.
May 22 2020
Maybe set service serial-bridge?
May 21 2020
Tested on 1.3-rolling-202005210117, works properly
May 20 2020
Note: When we migrate NAT to nftables, we need to use nftables sets instead of ipset
May 19 2020
May 14 2020
May 13 2020
Issue with socket.gethostbyname()
Successfully tested on the VyOS 1.3-rolling-202005130117.
Full opennhrp logs might be enabled by the following command
Fixed in T832
May 11 2020
May 9 2020
May 6 2020
May 4 2020
Fix path to mac-address node. PR https://github.com/vyos/vyos-1x/pull/392
All works on the rolling 1.3-rolling-202005030117
vyos@vyos:~$ ping 100.64.0.1 flood count 300 PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data.