Page MenuHomeVyOS Platform

n.fort (Nicolas Fort)
User

Projects

User Details

User Since
Jun 9 2021, 3:23 PM (55 w, 3 d)

Recent Activity

Tue, Jun 28

n.fort closed T4458: Firewall - add support for matching ip ttl in firewall rules as Resolved.
Tue, Jun 28, 12:49 PM · VyOS 1.4 Sagitta
n.fort closed T3907: Firewall - Set log levels as Resolved.
Tue, Jun 28, 12:48 PM · VyOS 1.4 Sagitta

Sun, Jun 26

n.fort changed the status of T4480: add an ability to configure squid acl safe ports and acl ssl safe ports from Open to In progress.
Sun, Jun 26, 3:49 PM · VyOS 1.4 Sagitta
n.fort added a project to T4480: add an ability to configure squid acl safe ports and acl ssl safe ports: VyOS 1.4 Sagitta.
Sun, Jun 26, 3:49 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4480: add an ability to configure squid acl safe ports and acl ssl safe ports.

PR: https://github.com/vyos/vyos-1x/pull/1369

Sun, Jun 26, 3:48 PM · VyOS 1.4 Sagitta
n.fort claimed T4480: add an ability to configure squid acl safe ports and acl ssl safe ports.
Sun, Jun 26, 12:25 PM · VyOS 1.4 Sagitta

Tue, Jun 21

n.fort changed the status of T4475: route-map does not support ipv6 peer from Open to In progress.

PR for 1.4: https://github.com/vyos/vyos-1x/pull/1367

Tue, Jun 21, 5:43 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus
n.fort added a project to T4475: route-map does not support ipv6 peer: VyOS 1.4 Sagitta.
Tue, Jun 21, 5:43 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus
n.fort claimed T4475: route-map does not support ipv6 peer.
Tue, Jun 21, 3:20 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus

Wed, Jun 15

n.fort closed T4450: Route-map - Extend options for ip|ipv6 address match as Resolved.
Wed, Jun 15, 3:03 PM · VyOS 1.4 Sagitta
n.fort closed T4449: Route-map - Extend options for ip next-hop match as Resolved.
Wed, Jun 15, 3:03 PM · VyOS 1.4 Sagitta
n.fort closed T990: Make DNAT/SNAT a valid state in firewall rules. as Resolved.
Wed, Jun 15, 3:02 PM · VyOS 1.4 Sagitta, test

Tue, Jun 14

n.fort added a comment to T4460: nhrp not starting due to missing cisco-authentication value.

Since in previous version set protocols nhrp tunnel tun0 cisco-authentication "" was allowed, a migration script is required. Otherwise, when upgrading, configuration fails.

Tue, Jun 14, 2:54 PM · VyOS 1.4 Sagitta

Sat, Jun 11

n.fort renamed T4435: Policy route and firewall - error when using undefined group from Policy route without defined port-group error to Policy route and firewall - error when using undefined group.
Sat, Jun 11, 11:19 AM · VyOS 1.4 Sagitta
n.fort added a comment to T4435: Policy route and firewall - error when using undefined group.

Extra checks are needed not only when attaching a policy route to an interface, but also when attaching firewall.
For example:

[email protected]# set firewall name FOO rule 10 action accept 
[edit]
[email protected]# set firewall name FOO rule 10 destination group address-group NOAG
[edit]
[email protected]# commit
Sat, Jun 11, 11:15 AM · VyOS 1.4 Sagitta

Fri, Jun 10

n.fort changed the status of T4460: nhrp not starting due to missing cisco-authentication value from Open to Needs testing.
Fri, Jun 10, 6:13 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4458: Firewall - add support for matching ip ttl in firewall rules.

PR: https://github.com/vyos/vyos-1x/pull/1355

Fri, Jun 10, 5:52 PM · VyOS 1.4 Sagitta
n.fort closed T4365: NAT - Error on setting up tables as Resolved.
Fri, Jun 10, 3:14 PM · VyOS 1.4 Sagitta
n.fort changed the status of T3907: Firewall - Set log levels from In progress to Needs testing.
Fri, Jun 10, 3:11 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4460: nhrp not starting due to missing cisco-authentication value.

PR: https://github.com/vyos/vyos-1x/pull/1353

Fri, Jun 10, 3:08 PM · VyOS 1.4 Sagitta
n.fort claimed T4460: nhrp not starting due to missing cisco-authentication value.
Fri, Jun 10, 2:34 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4457: L2TP/IPSec Remote Access VPN does not work as expected in 1.3.1-S1.

Same as Viacheslav. No issues on my tests in Ubuntu.

Fri, Jun 10, 12:56 PM · VyOS 1.3 Equuleus ( 1.3.1)
n.fort added a comment to T1230: Improving Boot Time for Large Firewall Configurations.

Yes. New 1.4 has more restricted checks on addresses and networks.
Actually, if you are using /22, the correct network for this case is 192.168.44.0/22.
You can use this online tool for checking ipv4 networks and subnets.

Fri, Jun 10, 11:02 AM · VyOS 1.3 Equuleus (1.3.0)

Thu, Jun 9

n.fort claimed T4461: Improve negated firewall groups in cli.
Thu, Jun 9, 4:53 PM · VyOS 1.4 Sagitta
n.fort created T4461: Improve negated firewall groups in cli.
Thu, Jun 9, 11:58 AM · VyOS 1.4 Sagitta

Sun, Jun 5

n.fort added a comment to T4387: Create additional smoketests for multiwan PBR & load-balanced configurations .

Added more options. PR https://github.com/vyos/vyos-1x/pull/1350

Sun, Jun 5, 8:12 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta

Sat, Jun 4

n.fort added a comment to T3976: Missing prefix-list and access-list option from ipv6 route-map.

PR: https://github.com/vyos/vyos-1x/pull/1348

Sat, Jun 4, 4:19 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.0-epa3)
n.fort claimed T4458: Firewall - add support for matching ip ttl in firewall rules.
Sat, Jun 4, 3:03 PM · VyOS 1.4 Sagitta
n.fort changed Version from - to 1.4 on T4458: Firewall - add support for matching ip ttl in firewall rules.
Sat, Jun 4, 3:03 PM · VyOS 1.4 Sagitta
n.fort created T4458: Firewall - add support for matching ip ttl in firewall rules.
Sat, Jun 4, 3:02 PM · VyOS 1.4 Sagitta

Fri, Jun 3

n.fort changed the status of T4450: Route-map - Extend options for ip|ipv6 address match from Open to Needs testing.
Fri, Jun 3, 3:49 PM · VyOS 1.4 Sagitta

May 29 2022

n.fort added a comment to T4450: Route-map - Extend options for ip|ipv6 address match.

PR: https://github.com/vyos/vyos-1x/pull/1342

May 29 2022, 4:51 PM · VyOS 1.4 Sagitta
n.fort claimed T4450: Route-map - Extend options for ip|ipv6 address match.
May 29 2022, 3:05 PM · VyOS 1.4 Sagitta
n.fort created T4450: Route-map - Extend options for ip|ipv6 address match.
May 29 2022, 3:05 PM · VyOS 1.4 Sagitta
n.fort changed the status of T4449: Route-map - Extend options for ip next-hop match from Open to Needs testing.

PR: https://github.com/vyos/vyos-1x/pull/1339

May 29 2022, 11:04 AM · VyOS 1.4 Sagitta
n.fort added a comment to T1230: Improving Boot Time for Large Firewall Configurations.

Yes, you error with "root" user is a known issue: T4281.

May 29 2022, 10:52 AM · VyOS 1.3 Equuleus (1.3.0)

May 28 2022

n.fort claimed T4449: Route-map - Extend options for ip next-hop match.
May 28 2022, 11:15 AM · VyOS 1.4 Sagitta
n.fort created T4449: Route-map - Extend options for ip next-hop match.
May 28 2022, 11:15 AM · VyOS 1.4 Sagitta

May 27 2022

n.fort added a comment to T1230: Improving Boot Time for Large Firewall Configurations.

For a better analysis, can you share your firewall and nat config without hidden data? You can send it to my email: [email protected]

May 27 2022, 4:36 PM · VyOS 1.3 Equuleus (1.3.0)

May 15 2022

n.fort added a comment to T4387: Create additional smoketests for multiwan PBR & load-balanced configurations .

I agree that having a smoketest for WLB will be great. But, there are certain limitations/considerations:

May 15 2022, 3:01 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta

May 12 2022

n.fort closed T4100: Firewall increase maximum number of rules as Resolved.
May 12 2022, 5:14 PM · VyOS 1.3 Equuleus ( 1.3.1), VyOS 1.4 Sagitta
n.fort added a comment to T990: Make DNAT/SNAT a valid state in firewall rules. .

PR for docs: https://github.com/vyos/vyos-documentation/pull/771

May 12 2022, 1:55 PM · VyOS 1.4 Sagitta, test

May 11 2022

n.fort changed the status of T3907: Firewall - Set log levels from Open to In progress.
May 11 2022, 1:42 PM · VyOS 1.4 Sagitta
n.fort claimed T3907: Firewall - Set log levels.
May 11 2022, 1:42 PM · VyOS 1.4 Sagitta

May 9 2022

n.fort changed the status of T990: Make DNAT/SNAT a valid state in firewall rules. from Open to Needs testing.
May 9 2022, 10:03 PM · VyOS 1.4 Sagitta, test
n.fort added a comment to T990: Make DNAT/SNAT a valid state in firewall rules. .

PR: https://github.com/vyos/vyos-1x/pull/1279

May 9 2022, 10:03 PM · VyOS 1.4 Sagitta, test

May 6 2022

n.fort added a comment to T4362: Wan Load Balancing - Can't create routing tables.

I was able to reproduce issue on latest VyOS 1.4-rolling-202205060217
Steps to reproduce:
1 - Fresh/clean vyos router
2 - Add interface configuration (dhcp on WANs and static IP addresses on LAN side), commit and save
3 - Add next WLB configuration:

May 6 2022, 5:54 PM · VyOS 1.4 Sagitta

Apr 29 2022

n.fort reassigned T4377: generate tech-support archive includes previous archives from n.fort to m.korobeinikov.
Apr 29 2022, 10:31 AM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus ( 1.3.1)
n.fort claimed T4377: generate tech-support archive includes previous archives.
Apr 29 2022, 10:19 AM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus ( 1.3.1)

Apr 22 2022

n.fort changed the status of T4365: NAT - Error on setting up tables from Open to Needs testing.
Apr 22 2022, 5:31 PM · VyOS 1.4 Sagitta

Apr 21 2022

n.fort added a comment to T4365: NAT - Error on setting up tables.

PR: https://github.com/vyos/vyos-1x/pull/1289

Apr 21 2022, 12:10 PM · VyOS 1.4 Sagitta

Apr 17 2022

n.fort created T4367: NAT - Config tmp file not available.
Apr 17 2022, 1:17 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4365: NAT - Error on setting up tables.

Review code: https://github.com/vyos/vyos-1x/blob/current/data/templates/firewall/nftables-nat.tmpl#L141-L142

Apr 17 2022, 12:53 PM · VyOS 1.4 Sagitta

Apr 16 2022

n.fort claimed T4365: NAT - Error on setting up tables.
Apr 16 2022, 6:07 PM · VyOS 1.4 Sagitta
n.fort updated the task description for T4365: NAT - Error on setting up tables.
Apr 16 2022, 5:46 PM · VyOS 1.4 Sagitta
n.fort created T4365: NAT - Error on setting up tables.
Apr 16 2022, 5:43 PM · VyOS 1.4 Sagitta

Apr 11 2022

n.fort added a comment to T1230: Improving Boot Time for Large Firewall Configurations.

Did similar tests with your big config >20k lines:

Apr 11 2022, 12:46 PM · VyOS 1.3 Equuleus (1.3.0)

Apr 8 2022

n.fort added a comment to T4348: Site access denied.

I have normal access!

Apr 8 2022, 10:49 AM

Apr 7 2022

n.fort added a comment to T1230: Improving Boot Time for Large Firewall Configurations.

With shared config, I'm not getting high times while loading config (at least not that high as exposed in this task)

Apr 7 2022, 6:46 PM · VyOS 1.3 Equuleus (1.3.0)
n.fort added a comment to T1230: Improving Boot Time for Large Firewall Configurations.

Thanks for sharing.
It this ok?

Apr 7 2022, 12:36 PM · VyOS 1.3 Equuleus (1.3.0)
n.fort added a comment to T1230: Improving Boot Time for Large Firewall Configurations.

Can you share your config @daniel.arconada ?

Apr 7 2022, 11:18 AM · VyOS 1.3 Equuleus (1.3.0)

Apr 5 2022

n.fort added a comment to T4331: IPv6 link local addresses are not configured when an interface is in a VRF.

Applying patch from the PR I could not reproduce issue anymore

Apr 5 2022, 3:25 PM · VyOS 1.3 Equuleus (1.3.2), VyOS 1.4 Sagitta
n.fort claimed T990: Make DNAT/SNAT a valid state in firewall rules. .
Apr 5 2022, 12:18 PM · VyOS 1.4 Sagitta, test

Apr 4 2022

n.fort added a comment to T4246: Failed to delete vrrp transition-script.

Great.
In that case I suggest marking this invalid and close it

Apr 4 2022, 7:08 PM · VyOS 1.3 Equuleus (1.3.0)

Apr 3 2022

n.fort added a comment to T4331: IPv6 link local addresses are not configured when an interface is in a VRF.

Bug confirmed on 1.3.1-S1 and on 1.4-rolling-202203180317

Apr 3 2022, 4:40 PM · VyOS 1.3 Equuleus (1.3.2), VyOS 1.4 Sagitta

Mar 30 2022

n.fort reopened T4319: The command "set system ipv6 disable" doesn't work as expected. as "Open".
Mar 30 2022, 1:09 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.2)
n.fort added a comment to T4319: The command "set system ipv6 disable" doesn't work as expected..

Issue found.
On freh 1.3.1-S1 intallation:

Mar 30 2022, 1:08 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.2)

Mar 29 2022

n.fort added a comment to T3686: Bridging OpenVPN tap with no local-address breaks.

Hi @freelancer . PR mentioned by @Viacheslav was merged on February 17, so fix should be included in 1.3.1

Mar 29 2022, 12:17 PM · VyOS 1.3 Equuleus ( 1.3.1), VyOS 1.4 Sagitta

Mar 28 2022

n.fort added a comment to T4246: Failed to delete vrrp transition-script.

@m.korobeinikov
Does your configuration include this scripts corrections? https://docs.vyos.io/en/equuleus/automation/command-scripting.html#executing-configuration-scripts

Mar 28 2022, 3:24 PM · VyOS 1.3 Equuleus (1.3.0)

Mar 20 2022

n.fort closed T4298: vyos-vm-images: fix ansible group name and remove obsolete empty command as Resolved.
Mar 20 2022, 1:18 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4298: vyos-vm-images: fix ansible group name and remove obsolete empty command.

Ok, thanks for the clarification.
I'm closing this task and marking it as resolved.

Mar 20 2022, 1:17 PM · VyOS 1.4 Sagitta

Mar 18 2022

n.fort closed T4286: Fix for firewall ipv6 name address validator as Resolved.
Mar 18 2022, 6:32 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4298: vyos-vm-images: fix ansible group name and remove obsolete empty command.

@hakwerk . Is this solved in PR https://github.com/vyos/vyos-vm-images/pull/24 ??

Mar 18 2022, 6:31 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4299: Firewall - GeoIP filtering.

Splitting ipv4 files, and just adding what needed. In my case, I extracted content from geoip-ipv4.nft and create and include file geoip-CA-ipv4.nft (Canada IPs)

Mar 18 2022, 6:20 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4299: Firewall - GeoIP filtering.

After some custom build and POC, here's what I got:

  • Filtering works, as shown in this table:
Mar 18 2022, 5:27 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4307: Policy routing anymore, Commit generating errors.

Can you share configuration that you are deleting? So far, I can't reproduce error

Mar 18 2022, 1:41 PM · VyOS 1.4 Sagitta

Mar 13 2022

n.fort created T4299: Firewall - GeoIP filtering.
Mar 13 2022, 2:14 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4298: vyos-vm-images: fix ansible group name and remove obsolete empty command.

Update download URL -> PR: https://github.com/vyos/vyos-vm-images/pull/26

Mar 13 2022, 1:33 PM · VyOS 1.4 Sagitta

Mar 12 2022

n.fort added a comment to T4286: Fix for firewall ipv6 name address validator.

PR for 1.4: https://github.com/vyos/vyos-1x/pull/1247

Mar 12 2022, 3:23 PM · VyOS 1.4 Sagitta

Mar 11 2022

n.fort closed T4122: interface ip address config missing after upgrade from 1.2.8 to 1.3.0 (when redirect is configured?) as Resolved.
Mar 11 2022, 6:20 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus
n.fort updated n.fort.
Mar 11 2022, 6:18 PM
n.fort claimed T4286: Fix for firewall ipv6 name address validator.
Mar 11 2022, 6:17 PM · VyOS 1.4 Sagitta

Mar 10 2022

n.fort added a comment to T4286: Fix for firewall ipv6 name address validator.

A simplified validator that rejects non-ipv6 address range (still lacks of 1st ipv6 minor than 2nd address validator):

Mar 10 2022, 6:50 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4286: Fix for firewall ipv6 name address validator.

For 1.4, problem is in ipv6-range validator, which accepts lots of values that should be considered as invalid:

Mar 10 2022, 6:30 PM · VyOS 1.4 Sagitta

Mar 7 2022

n.fort added a comment to T4275: Incorrect val_help for local/remote prefix in ipsec vpn.

PR; https://github.com/vyos/vyos-1x/pull/1240

Mar 7 2022, 11:42 AM · VyOS 1.4 Sagitta

Mar 4 2022

n.fort closed T4282: show log command does not match documentation - showing firewall logs, or tailing <x> lines as Invalid.
Mar 4 2022, 3:04 PM · VyOS 1.4 Sagitta

Feb 26 2022

n.fort created T4273: ssh: Upgrade from 1.2.X to 1.3.0 breaks config.
Feb 26 2022, 6:02 PM · VyOS 1.3 Equuleus ( 1.3.1), VyOS 1.4 Sagitta

Feb 25 2022

n.fort added a comment to T4002: firewall group network-group long names restriction incorrect behavior.

This situation is worst, since ipset exposed the error, but vyos cli accepts it, and remains in the running configuration:

Feb 25 2022, 7:23 PM · VyOS 1.3 Equuleus ( 1.3.1)

Feb 23 2022

n.fort closed T4194: prefix-list no check for duplicate entries as Resolved.
Feb 23 2022, 3:48 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4194: prefix-list no check for duplicate entries.

Tested on VyOS 1.4-rolling-202202150317:

Feb 23 2022, 3:48 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4199: Commit failed when setting icmpv6 type any.

I think this task can be marked as resolved, but before doing that, anything else @artooro ? Were you able to test it?

Feb 23 2022, 3:40 PM · VyOS 1.4 Sagitta
n.fort added a comment to T4262: install image doesn't respect chosen root partition size.

@pvanberlo Can you share more info on how we can reproduce this issue?

Feb 23 2022, 2:49 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.0)
n.fort added a comment to T4262: install image doesn't respect chosen root partition size.

I wasn't able to reproduce the issue.
I installed 3 times VyOS 1.3.0 version on Proxmox:

Feb 23 2022, 2:46 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.0)

Feb 22 2022

n.fort added a comment to T4122: interface ip address config missing after upgrade from 1.2.8 to 1.3.0 (when redirect is configured?).

PR: https://github.com/vyos/vyatta-cfg-qos/pull/12

Feb 22 2022, 6:43 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus
n.fort claimed T4122: interface ip address config missing after upgrade from 1.2.8 to 1.3.0 (when redirect is configured?).
Feb 22 2022, 4:47 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus
n.fort added a comment to T4122: interface ip address config missing after upgrade from 1.2.8 to 1.3.0 (when redirect is configured?).

Explanation on how to reproduce this error:

  • On fresh install on 1.2.8 (more parameter may be needed to be able to upgrade router):
set interfaces input ifb042
set interfaces ethernet eth0 vif 42 address 203.0.113.47/32
set interfaces ethernet eth0 vif 42 redirect 'ifb042'

Then add and install 1.3.0 vyos image, and reboot.

Feb 22 2022, 4:07 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus
n.fort added a comment to T4027: Does not possible to update the system with 512MB of RAM.

Same problem when downgrading from 1.3.0 to 1.2.8

Feb 22 2022, 3:14 PM · VyOS 1.3 Equuleus
n.fort added a comment to T4122: interface ip address config missing after upgrade from 1.2.8 to 1.3.0 (when redirect is configured?).

Can confirm the problem.
Also, when bootting on 1.3.0 version, and trying to load pre-migration config file, it's also not possible.
Removing "redirect" entry from pre-migration file, configurations loads correctly.
Once configuration was loaded, "redirect" command con be inserted once again in cli, and it is accepted.

Feb 22 2022, 3:11 PM · VyOS 1.4 Sagitta, VyOS 1.3 Equuleus

Feb 21 2022

n.fort added a comment to T4210: NAT source/destination negated ports throws an error.
  1. Negated ports: erros while writing command.

For example:

Feb 21 2022, 5:01 PM · VyOS 1.4 Sagitta

Feb 15 2022

n.fort added a comment to T4145: Conntrack table not showing after firewall rewriting.

Comman "show conntrack ..." not available any more in latest?

Feb 15 2022, 7:04 PM · VyOS 1.4 Sagitta