- User Since
- Jun 14 2016, 12:46 AM (83 w, 2 d)
Tue, Jan 16
I am willing to give some advice but it's an issue to understand your infrastructure based on a very fuzzy set of details.
The basic rule of thumb that I can think of is that you cannot assign ip addresses with the same or overlapping prefix on two interfaces and route between them.
I do not know if the VyOS kernel supports IPV6 NAT feature but this should be a very last resort for specific scenarios.
If you need some examples on how IPv6 prefixes are being used you can try to peek at some IPv6 brokers such as Hurricane Electric.
They give you a very specific IPv6 address and prefix for the WAN side with a specific default route,
Then they give you a different prefix to assign the internal network which is behind the main gateway.
Is your setup different then what HE offers?
Thu, Dec 21
@syncer I am the unofficial maintainer of the Squid-Cache RPM's and DEB packages and doing it for more then 4 years now.
These days network routers are actually Route Servers and only the low cost devices doesn't contains any form of proxy functionality on them.
If you need a simple IP router you don't need it and this is most of the use cases of YVOS to my knowledge.
However we might be able to compromise on something in the middle instead of ditching it or other proxies.
Squid-Cache is good for caching but very old so for filtering there are couple other more efficient solutions and also the nature of the Internet HTTP world have changed so caching is good only for very specific purposes...
So I think that it would be a nice to have but if it's possible to allow the admin configure Squid or another proxy outside of the configuration shell it would be a better solution.
Also if you want to intercept traffic into squid you can just use DNAT rules.
Tue, Dec 19
@mickvav What's the status of 1.2.0-x? is there a build node\vm\container I can experiment building nDPI support?
Aug 21 2017
@NceAirport Are you connecting two vyos using a gre or vyos to other vendor?
Do these devices have a public ip address on their interfaces or an internal ip with direct routed link(no nat in the middle)?
How can we try to reproduce the issue?
Jul 24 2017
Jul 20 2017
@ekim Technically the dhcp lease should not affect on the network traffic at all, the renew should be transparent if the IP stays the same.
I believe that since the issue appears after a minute and the lease is 1 hour then it should be fine and probably not the cause for the issue.
Jul 19 2017
Can you verify using tcpdump or other means how long the dhcp lease is?
Jul 18 2017
@EwaldvanGeffen it's not clear to me if and what is implemented.
Can you please describe what is implemented and in what version?
Apr 23 2017
Has anyone tried to do something with the howtoforge: https://www.howtoforge.com/tutorial/opendataplane-with-open-fast-path-on-ubuntu/
Dec 21 2016
Which is an example of how would WLB work with a custom script.
@EwaldvanGeffen apply this rule on what? a WLB?
the WLB from what I understood required an interface per gateway while PBR allows me to route the traffic towards any of the gateways which can be the next-hop ie 10.0.0.100/24 or 10.0.0.101/24.
This is what I remember from vyatta and I haven't digged into the subject since I have a huge gap ahead as far as I can see.
@EwaldvanGeffen WLB has a difference from PBR and what is required a PBR.
The code is not something I was looking for but an example of implementation in the configuration.
Then I will be able to look at the code and understand what might be applied to PBR compared to WLB.
Dec 20 2016
@EwaldvanGeffen Can you help with giving an example of implementing this?
Like with a tiny ping that returns a status code?
(I do not know what WLB is...)
@EwaldvanGeffen technically we can simplify it into a form of a script that monitors the service using http or another tcp\udp based and would flag the avaliability of the service.
The marking and forwarding rule can be automativally bypassed if the service is flagged as down.
Anyone interested working with me on this?
It's basically a simple conditional PBR.. and since WCCP is "OK" for tiny routers for beafy machines such VYOS have I believe that it would be a piece of cake to cook this up.
Dec 4 2016
Tried to compile on sqeeze and got errors so it will only meet .1.2.0.
There was a missing package "bc".
so "apt-get install -y bc" resolved the issue.
Dec 2 2016
Nov 19 2016
@mickvav The userspace software is not something that we need in the build.
I have just built it since it's in the packages\repo.
The important thing is the module and the libraries to build them.
I will try to disable the userspace software build and move on from there.
Nov 18 2016
It took faster then expected with a help from a friend so:
In order to speed up the build process I want us to work on the VYOS development docker container.
Once we will have this I and others can do things much faster.
I will try to share my build node for debian in two days and then we can move forward from this one step forward towards simple kernel compilation for VYOS in a docker container.
After we will have this we can simply buidl the NDPI modules(which are being used in zeroshell....).
Nov 16 2016
OK I have just seen that Mikrotik routers have p2p block and it's an iptables level concept.
I have compiled the module for debian but needs some help from others.
Waiting for others to help.
Oct 19 2016
@hmkias I think that some kind of a daemon would be required to "coordinate" between the squid machine to the VYOS.
I had an idea about it in the past but never had the chance to actually implement it with vyatta.
However I have seen that in ZEROSHELL there is a very nice feature which test for proxy IP level availability.
How complex would it be to make a condition to the policy based on a lock file?
Sep 26 2016
@EwaldvanGeffen The main point is that the basic and working extra modules should be usable to the public since it gives anyone that want's to enhance the existing code.
The main example is blocking windows updates, if you have the sources you can see it's being blocked based couple simple things:
domain name in plain HTTP
domain name in SNI of SSL
@mickvav I do not need it personally since it works for me fine on other systems but I would like to put my efforts in order to have others have some benefit from my work.
I will take a look at the ipt-netflow-code work and with time I will probably practice it.
@mickvav I learned the debian packaging and produced more then one or these for Squid-Cache but everytime I am sitting on the build it's from 0.
To deploy most of my compiled softwares I am using a tar.xz which can be deployed ontop of the existing system as a 'module' and I found it much simpler for me to work with simple bash scripts then the debian packaging.
Without someone helping me to repackage over and over couple times of packages then it's not being pulled into the box but merely passing from one side to the other...
@dmbaturin gave me couple tips and cleared things for me.
I will try to finish couple things here before we\I can dive into the subject.
Sep 23 2016
It can be disabled as will.
It works or not like any other external module which doesn't require kernel changes.( the specific ve21loring version)