- User Since
- Feb 15 2016, 11:55 AM (175 w, 1 d)
Feb 7 2019
@ekim rephrased: remove the DHCP-interface option and only use and configure the local-address to 0.0.0.0.
Feb 5 2019
Can you try without dhcp-interface and set 0.0.0.0 as local-address?
Feb 4 2019
Configured protocols does not match Proposed protocols. Try without pfs configuration on the VyOS side.
Oct 18 2018
Oct 16 2018
I've redone the patch, it uses a simpler regex because we do not need mixed-mode. The main issue was it didn't validate lowercase. I had to split the host/mask parsing to do the cidr variant properly. I've added tests and it ran succesfully. PR#2
Oct 15 2018
Maybe it merits the larger question on howto migrate this away from rsyslog (if at all) and create sub-tasks.
Oct 14 2018
Do you experience this now? How many rules / what hardware may I ask?
edit: Not trying to undermine your request for this change, just to get an idea at which point it becomes a problem with the current setting to estimate whether we need to address the root-cause urgently.
so far found this:
Oct 13 2018
@syncer if there is an actual issue we need more input from the user to continue. ONHOLD for me (or ARCHIVE).
how about NETCONF, YANG ...
Design-wise this is the right choice. Other platforms have adopted this mantra. The only thing we need to think about is the default policy for intra-zone traffic (allow, drop, reject). My personal preference would be to set the default-intra-zone policy to allow-all within the upgrade scripts, otherwise drop for new configs.
Sep 24 2018
Does your box have a mellanox card? Is there any virtualization involved? Can you check the driver revision in non-/working state in the kernel? Use ethtool to find out the driver servicing your interface and then modinfo the kernel driver name to get its version.
I think the radvd should be made vrrp3 aware. In Juniper this looks like protocols router-advertisement interface <val> virtual-router-only: Send advertisemnets only for vrrp-inet6-group.
May 23 2018
Can you share configs?
What do you mean with "when BDR comes up" ? Was BDR also down together with DR ?
Can you describe more precisely the steps you undertake and what you observe (on which box)? (c/p output into our pastebin )
Thinking ahead: what happens when you have a very active DHCP server? Shouldn't we rate-limit reload-zones to max once/n sec ?
May 22 2018
Oct 25 2017
How exactly do you see the two products interact on a single system?
Do you have this request on their ticketing system? Can you link the two?
Does it have to run on a rpi?
Oct 12 2017
Run tcpdump on your WAN with filter ICMP to confirm probing goes haywire; should be pretty easy to spot as you employed four different targets.
I've tried to attain this holy grail of combining VPNs to gain a faster more reliable link. Although my environment where multiple consumer WAN links with different specs. Yours seem to be more uniform to account for so you might get away with easier.
Aug 30 2017
note: careful when overruling vtysh commands (tt == save?)
Aug 25 2017
@syncer not in the config dump, in the bash-history that's included.
I just noticed your pastes. We need to filter out the set password commands as they will contain plaintext passwords. This could be solved by making the command interactive (it asks for the password to be typed in) similarly to other platforms. There might be other stuff that requires filtering-out history or refactoring.
Aug 12 2017
Please vote in https://phabricator.vyos.net/V4
Aug 5 2017
@syncer I think the problem is that many fields (eg. within the NAT, WLB, PBR facilities) don't allow to use groups you can use in the firewall stanzas. I think there's no need to poll on this, seems to me like a no-brainer, everyone wants this. Many modern products also add auto variables such as eth0_ipaddresses or eth0_networks. Juniper has an implementation that also allows for hierarchical grouping.
Aug 4 2017
This required a little voting or some input by a core member on syntax. Once that's established implementation proceeds.
Aug 3 2017
Merijn is right in my experience. I think root should get unix and the rest the vyos-cli. If you make it a configurable setting within the vyos-cli it would be bestest for everyone.
Jul 22 2017
Jul 17 2017
is already implemented. great!
Jul 4 2017
could you create a phabricator test paste with the correct permission settings as example. Next step is to programmaticly create the same and then integrate w/ vyos.
Jul 3 2017
This requires that VyOS has either some kind of token that allows him to post-as user or the user credentials for pastebin. PHabricator Bots could be perhaps leveraged.
May 29 2017
I added a force-gateway option some time ago. Regardless it's somewhat expected on 1.2, it needs testing and review. I meant 1.1.7 in my previous post (yes, confusion).
May 22 2017
save https://github.com/vyos/vyatta-op-dhcp-server/commit/64817db98e485eee75b53caf4b308197d094784c in /opt/vyatta/share/perl5/Vyatta/DHCPServerOpMode.pm
May 21 2017
@tsumaru720 Could you provide feedback?
I'm sorry for the belated response. This is great. Thanks for your contribution @fatihusta! Once testing checks out I'll add this to my CLI integration todo.
What version have you been using?
Apr 29 2017
Apr 18 2017
@mdsmds you sure that is not it's intended purpose; scare away people from enabling root on their boxes ;p I'm hoping to have some time soon to do some small stuff like this.
Okay, so maybe we should expand the configuration in that case a little. Let's make it replace whatever value is found and allow all three options in the CLI?
Mar 5 2017
There's no point in having VyOS on a rpi, it's too slow to be useful.
This is more likely a configuration problem. Did you enable the local-traffic-loadbalancing option and is your SSH traffic handled by any WLB rule (or left untouched?). Also post your routing table when all wan interfaces are up. What is the status of the enable-sticky-connections option? From where do you test your SSH connectivity from (a connected subnet of vyos? a routed-subnet ?)
Jan 7 2017
Can you provide the output of /etc/logrotate.conf via a pastebin
Dec 21 2016
@elico if you apply a 'source my-lan-clients, destination port-80, proto tcp' rule with gateway your proxy server + the custom testing-target script. If the proxy is up it will be routed towards it. If the target goes down, without any other policies the packet will fall onto PBR and then routing. Isn't that the behaviour you were looking for?
Dec 20 2016
Wan-load-balance. Example is here: https://github.com/vyos/vyatta-wanloadbalance/blob/current/scripts/http_test.pl and implementation https://github.com/vyos/vyatta-wanloadbalance/blob/current/templates/load-balancing/wan/interface-health/node.tag/test/node.tag/type/node.def
@elico it's pretty simple since WLB supports custom tests for gateway/targets. You can simply script it up to that.
In for a quick meeting. I think one of the major points would be 118; what goes in and what not; this shouldn't take more than 10 minutes, I think.
Dec 16 2016
I'll start with 1.2 and backport from there if necessary.
@oliveriandrea what happens when you use double-quotes for vyos-config and single-quotes for the statement within? Can you also test out the other possible combinations; eg. "--with-escaping-the \"inner quotes\""; this is just for reference (I agree with @syncer recommendations for now). I would be especially interested in if they are treated differently by the tab-completion feature as IIRC it generates somewhat broken suggestions (vyos@vyos #delete openvpn-opt<tab> .. ).
Dec 11 2016
set system options beep-on-startup
That's strange because it's exactly what the code does: https://github.com/vyos/vyatta-cfg-system/blob/current/templates/service/ssh/allow-root/node.def
Closed in https://github.com/vyos/vyatta-op/pull/7
Maybe it's interesting to attach the configs to the tested-build data-entry.
Nov 19 2016
I think the next step for this proof-of-concept is to be tried and validated (setup log rules, tcpdump and send in traffic, manually compare counters to dump) then merged into the regular build-process and finally come up with a CLI syntax.
Could this patch be your solution. I remember there was the duplicate print effect when using DHCP-FO on the entries in the lease file in a specific condition that I've made it to ignore.
Nov 9 2016
When doing DHCP-FO it's intentional both machines send out a lease. The duplicate 'lease' issue in the show statements should've been resolved in latest versions IIRC. Which version are you running?
Sep 26 2016
I have used nDPI on CentOS 5 in the past with 'fair' results. The problem is that the makers of nDPI went commercial and their old/OSS package is afair not maintained anymore.
Sep 20 2016
@rps I think he needs a more modern version of squid with sslbump support. I wouldn't put any effort in WCCP, it seems fairly legacy to me.
Sep 17 2016
or do a fallback to another device.
I prefer opt-in options over 'enable by proxy'.
and future get-lease-hostnames?
Sep 15 2016
Could you provide the contents of "sudo vi /opt/vyatta/etc/dhcpd.conf"? It could be related to previously fixed http://bugzilla.vyos.net/show_bug.cgi?id=334 / Reading into it.
Short answer: not really.
Sep 11 2016
You would have to forward traffic to your device. Preferably it handles all types of traffic. Otherwise you can forward dport 443 towards a specific IP.
Sep 1 2016
From the looks of the script it seems this hostname is coming from the DHCP-server upstream. I wonder if this behaviour is controlable.
Aug 25 2016
The page you've linked mentioned the fix: don't use legacy ciphers.
Aug 8 2016
Would this be a setting in the SSH service or rather system login. Because the former allows you to employ wildcards: VYOS-* while the latter feels more correct otherwise. Or you could have both, default the SSHd setting to no-one, and whitelist per user || employ the wildcard solution.
Jul 13 2016
Jul 4 2016
Commited into current, separate patch available for 117 users if needed be.
Jun 27 2016
Jun 21 2016
Jun 18 2016
On which version was this experienced? Cannot reproduce on 1.1.6, 1.1.7 and 1.2. Could you provide the output of sudo iptables-save? Or sudo iptables -t filter -L -nv (includes packet counters and should show you why your traffic is not hitting your log-rule).
Jun 14 2016
Jun 11 2016
Jun 6 2016
I'm telling you I cannot reproduce on 115,116 and 117.
Jun 5 2016
Can it be you have two protocol children entries and didn't tab twice? [cannot-confirm]
Jun 2 2016
Jun 1 2016
I think we can choose how to implement it. We can apply it as a default entry in one of the vyos chains or let the user-decide. The advantage with the latter is that both implementations can co-exist for a while. With the former solution I would remove the old implementation to not confuse the user.
May 25 2016
abferm, could you work out which other settings would be typically employed w/ a syntax proposal. This way we would implement all at once (saving time).
May 12 2016
Ok, basicly the /tmp/keepalived.data format changed. There's no more OPMode.pm#250 in the output and it was replaced by 'Router ID: <n>' which could be used to do find_sync a bit cleaner. It could be in certain cases the multicast source IP is printed out but I'd have to check Keepalived sources to be sure. I could write it that it probes for a value and upon failure won't print out the Source IP or just remove that part all together. Any preferences: TL;DR: implement safer fail-back legacy behavior or YOLO it?