Page MenuHomePhabricator

zsdc ( )
User

Projects

User does not belong to any projects.

User Details

User Since
Sep 10 2018, 3:30 PM (22 w, 6 d)

Recent Activity

Thu, Feb 14

zsdc created T1247: WAN load-balancing fail when !<x.x.x.x/x> configured in rules.
Thu, Feb 14, 9:26 PM · VyOS 1.2 Crux
zsdc added a comment to T258: Can not configure wan load-balancing on vyos-1.2.

With new package all works fine.

Thu, Feb 14, 9:18 PM · VyOS 1.2 Crux (VyOS 1.2.1)

Wed, Feb 13

zsdc added a comment to T258: Can not configure wan load-balancing on vyos-1.2.

Need to reopen this task.
Version: 1.2.0-LTS.
Running configuration:

vyos@test-01# show 
 interfaces {
     ethernet eth0 {
         address 192.168.55.18/30
         duplex auto
         hw-id 08:00:27:95:bb:f6
         smp-affinity auto
         speed auto
     }
     ethernet eth1 {
         address 192.168.56.3/24
         duplex auto
         hw-id 08:00:27:8e:d6:fb
         smp-affinity auto
         speed auto
     }
     ethernet eth2 {
         duplex auto
         hw-id 08:00:27:8c:27:04
         smp-affinity auto
         speed auto
     }
     loopback lo {
     }
 }
 service {
     ssh {
     }
 }
 system {
     config-management {
         commit-revisions 100
     }
     console {
         device ttyS0 {
             speed 9600
         }
     }
     host-name test-01
     login {
         user vyos {
             authentication {
                 encrypted-password $6$7X4XbQJ2xVMZ8$NmISPmyC1f88cIfcKig01pkjePNTVeeWwULrHgich6wB0A1TH/b31Jywpsde8Mv4/B8Qa5CxFM.rlXmfOQT0Z0
                 plaintext-password ""
             }
             level admin
         }
     }
     name-server 1.1.1.1
     ntp {
         server 0.pool.ntp.org {
         }
         server 1.pool.ntp.org {
         }
         server 2.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level info
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
 }
Wed, Feb 13, 6:02 PM · VyOS 1.2 Crux (VyOS 1.2.1)

Tue, Feb 12

zsdc created T1243: BGP local-as accept wrong values.
Tue, Feb 12, 5:15 PM · VyOS 1.2 Crux

Fri, Feb 8

zsdc closed T173: Static routes ignored with DHCP received gateway as Resolved.

This bug can't be reproduced in 1.2.0-LTS and 1.2.0-rolling+201902080337, so seems that it was fixed in some of previous releases. Closing ticket.
Feel free to reopen it if the the same behavior will be spotted in one of current releases.

Fri, Feb 8, 1:23 PM · VyOS 1.3 Equuleus
zsdc created T1235: "show | commands" don't work from config mode.
Fri, Feb 8, 12:36 PM · VyOS 1.2 Crux
zsdc added a comment to T1148: epa2 BGP peers initiate before config is fully loaded, routes leak..

@danhusan , you can send the configuration to support@vyos.io with the theme "Phabricator T1148". Also, please check if a remote side of BGP peering run in active or passive mode?

Fri, Feb 8, 12:10 PM · VyOS 1.2 Crux (VyOS 1.2.2)
zsdc created T1234: DHCP relay relay-agents-packets is dysfunctional.
Fri, Feb 8, 11:43 AM · VyOS 1.3 Equuleus

Thu, Feb 7

zsdc added a comment to T1148: epa2 BGP peers initiate before config is fully loaded, routes leak..

Hello @danhusan!
How big is your configuration at all? Can you provide depersonalized config? Which hardware or virtual machine using for VyOS? Can you provide full log of booting?
We can't confidently reproduce this bug. Looks like configuration can't load quickly enough or something like this.

Thu, Feb 7, 8:21 PM · VyOS 1.2 Crux (VyOS 1.2.2)
zsdc changed the status of T1227: rip PW can't be set at interface config from Open to Confirmed.

Bug confirmed. The problem is in FRRouting CLI (FRRouting 7.1-dev).
Will see what we can do with this.

Thu, Feb 7, 8:05 PM · VyOS 1.3 Equuleus
zsdc changed the status of T1209: OSPF max-metric configuration not supported from In progress to Confirmed.

Hello, @adestis!
You can use values from 5 to 100. 600 is unsupported in current FRRouting.

Thu, Feb 7, 5:54 PM · VyOS 1.2 Crux (VyOS 1.2.1)
zsdc added a comment to T1158: Route-Map configuration dropped updating rc11 to epa2.

Hello, @MrXermon!
We can't reproduce this bug. Maybe, there are some other errors, which can affect route-maps?
If you have the old configuration, can you check update procedure with an update to 1.2.0-LTS and current rolling?

Thu, Feb 7, 5:45 PM · VyOS 1.3 Equuleus
zsdc added a comment to T1140: Policy Route Not Work.

Hello, @rizkidtn!
Is any problems still exist with your configuration or we can close this issue?

Thu, Feb 7, 5:27 PM · VyOS 1.3 Equuleus
zsdc added a comment to T1094: vyos 1.2 rc 10 stuck on "Started bpfilter" when rebooting.

Hello, @dongjunbo!
Can you check behavior with new versions? If the problem still exist show us an example of such big configuration, or at least count of objects and their types in this config.

Thu, Feb 7, 4:43 PM · VyOS 1.3 Equuleus
zsdc added a comment to T1187: Command show log vpn display wrong information .

Hello, @bjtangseng!
Can you recheck this with fresh versions? Seems that in 1.2.0-LTS and rolling everything is OK. Also, if there is no VPN logs at all (for example, VPN is not configured), you can see output like in first message and then this will be not a issue.

Thu, Feb 7, 4:40 PM · VyOS 1.3 Equuleus
zsdc added a comment to T1044: Dead loop on virtual device.

Hello, @TrueTechy!
As I understand, this situation can exist only if interface is in down state? Can you check this behavior with fresh VyOS version?

Thu, Feb 7, 4:32 PM · VyOS 1.3 Equuleus

Mon, Jan 21

zsdc added a comment to T1157: Static route not reachable through VRRP address.

OK, things is more clearly now.
If you don't have any L2-filters between eth1 interfaces of VyOS instances I could recommend you first to change configuration to something like this (based on your configuration from first message):
Router 1:

Mon, Jan 21, 9:42 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-GA)

Jan 15 2019

zsdc changed the status of T1172: vyatta_update_sysctl.pl does not support options that have multiple values from Needs testing to Confirmed.

Confirmed. If we try to change variable with multiple values, will be applied only first of them. For example:

net.ipv4.tcp_wmem = 4098	16384	1643392
Jan 15 2019, 10:13 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-GA)
zsdc added a comment to T1157: Static route not reachable through VRRP address.

Hi, @bmtauer!
To be honest, it's looks like you have used bug or some non-typical behavior in 1.1.8 as feature. Your configuration looks strange from the start, so I propose to start investigation of this from detailed description of your task, which you want to solve by this all.
If you can, please, provide information about:

  1. Connections at eth interfaces on both (master and backup) routers. As I understand, all interfaces is connected to the same L2 segment of network? Explain why connections was made like this - this is not obvious for us now.
  2. What exactly you want to reach by VRRP? Just make reserved router or this is part of more complex task?

The more we understand your task, the faster we will can help to solve this problem.

Jan 15 2019, 9:49 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-GA)

Jan 8 2019

zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

I doubt that it will be unecrypted

It can be at 100% unencrypted. If sender accept redirects, then traffic can be routed through another router. :)

Jan 8 2019, 8:53 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)
zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

By default, more optimal will be leaving send_redirects in enabled state.
I think, that better will be preventing to commit something in vpn ipsec if send_redirects is enabled for any interface, as we can't predict at 100% from which interface will be received traffic, that need to be encrypted with IPSec.
Per-interface option can help in any case, definitely. But we need to leave at least warning to user, where will be clearly said, that with enabled send_redirects some of traffic from interface with this option can be leaked through unencrypted channels.

Jan 8 2019, 8:29 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)
zsdc added a comment to T1137: 'sh ip bgp sum' being truncated.

Can you reproduce this with some other emulator, except SecureCRT and make video with this bug?

Jan 8 2019, 8:55 AM · VyOS 1.3 Equuleus

Jan 7 2019

zsdc changed the status of T1141: Conntrack helpers are no longer active by default from Needs testing to Confirmed.

OK. So, for now, anyone can use workarounds provided in T1011 or here. And wait for permanent fix in further builds.

Jan 7 2019, 2:04 PM · VyOS 1.2 Crux (VyOS 1.2.0-EPA3), VyOS-1.2.0-GA
zsdc added a comment to T1137: 'sh ip bgp sum' being truncated.

Hi, @knozzle !
Provide, please, output of next command, executed in the same terminal as defected show ip bgp summary:

tput cols ; tput lines
Jan 7 2019, 1:53 PM · VyOS 1.3 Equuleus
zsdc added a comment to T1140: Policy Route Not Work.

Hi, @rizkidtn!
Policy route wouldn't work if it will be assigned to any other interface, except those from which incoming traffic will be received.
Why do you can't set policy to eth1.2400 interface? Is there some problems or errors related with this occurs?

Jan 7 2019, 1:42 PM · VyOS 1.3 Equuleus

Dec 30 2018

zsdc added a comment to T1141: Conntrack helpers are no longer active by default.

I can confirm, that problem with connection tracking is exist. Reason in this change in Linux kernel. Now, by default, all connection helpers is disabled. You may try to search in your log files something like:

kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.

If you want, you may read more about this here.
So, we need to add all helpers by hand. You may try next workaround. Add this to /config/scripts/vyatta-postconfig-bootup.script:

sleep 10
iptables -t raw -I VYATTA_CT_HELPER 1 -p tcp --dport 1723 -j CT --helper pptp
iptables -t raw -I VYATTA_CT_HELPER 2 -p tcp --dport 21 -j CT --helper ftp

Then reboot or, if you want tot apply it without rebooting, just execute all commands in root shell.

Dec 30 2018, 2:43 AM · VyOS 1.2 Crux (VyOS 1.2.0-EPA3), VyOS-1.2.0-GA

Dec 28 2018

zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

I've made some tests...
I have build a lab with next configuration:


In test PC gateway to 10.2.1.0/24 is R2.
In R2 we have next routing tables:

vyos@vyos:~$ show ip route 
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route
Dec 28 2018, 10:45 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)

Dec 27 2018

zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

I found. This is VPN settings.
Based on information from Linux IP stack flow diagrams, IPSec policy applying after route decision, and ICMP redirects doing before this. So we can't leave send_redirects=1 on interface, where we receive unencrypted traffic for IPSec.
But, we can:

  1. Check for firewall send-redirects 'enable' and prevent to commiting vpn ipsec options, when send_redirects is enabled.
  2. Disable send_redirects only on interfaces, where we expect incoming unencrypted IPSec traffic.

I'm not sure, what is better.

Dec 27 2018, 4:43 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)

Dec 25 2018

zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

If you just enable and reboot it works too? I've seen this problem at different routers with RC3, RC11 and rolling, but I can't find obvious reason for it.

Dec 25 2018, 6:21 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)

Dec 24 2018

zsdc added a comment to T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.

Hi @hagbard!
Config in attachment.

Dec 24 2018, 9:29 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)
zsdc created T1135: "firewall send-redirects enable" works only after switching from disabled state on running system.
Dec 24 2018, 2:43 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-EPA3)

Dec 18 2018

zsdc created T1118: Obsolete "utc" option in time selector in firewall.
Dec 18 2018, 2:53 PM · VyOS 1.3 Equuleus

Dec 17 2018

zsdc created T1113: Unwanted/broken "disable" option in firewall state.
Dec 17 2018, 10:06 PM · VyOS 1.3 Equuleus
zsdc updated the task description for T1111: Misbehaviour of "recent" options in firewall rules.
Dec 17 2018, 9:21 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux ( VyOS 1.2.0-rc11)
zsdc created T1111: Misbehaviour of "recent" options in firewall rules.
Dec 17 2018, 9:19 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux ( VyOS 1.2.0-rc11)

Dec 14 2018

zsdc added a comment to T1102: Disabling rp_filter don't work.

Here what I mean.
Before enabling rp_filter:

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 0
net.ipv4.conf.l2tpeth1.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0

After enabling:

net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.eth0.rp_filter = 2
net.ipv4.conf.eth1.rp_filter = 2
net.ipv4.conf.eth2.rp_filter = 2
net.ipv4.conf.l2tpeth1.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 2

After disabling:

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.eth0.rp_filter = 2
net.ipv4.conf.eth1.rp_filter = 2
net.ipv4.conf.eth2.rp_filter = 2
net.ipv4.conf.l2tpeth1.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 2
Dec 14 2018, 3:12 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-GA)

Dec 13 2018

zsdc updated the task description for T1102: Disabling rp_filter don't work.
Dec 13 2018, 10:44 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-GA)
zsdc created T1102: Disabling rp_filter don't work.
Dec 13 2018, 10:42 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-GA)

Dec 5 2018

zsdc created T1083: Implement "--persistent" option to NAT rules.
Dec 5 2018, 9:27 AM · VyOS 1.3 Equuleus

Dec 4 2018

zsdc added a comment to T1000: Broken 6rd tunnel implementation.

Tested with 1.2.0-rolling+201812010337. Still many bugs, very hard to diagnostic it properly.
Minimal list TODO, for we can continue testing:

Dec 4 2018, 3:24 PM · VyOS 1.3 Equuleus
zsdc added a comment to T1025: Command "show routing table XX" don't work (FRRouting bug).

Checked in 1.2.0-rolling+201812010337, all works fine.
Vtysh:

root@vyos:/home/vyos# vtysh
Dec 4 2018, 10:00 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc9)

Dec 3 2018

zsdc created T1078: Problems in RED/WRED implementation (QoS).
Dec 3 2018, 2:43 PM · VyOS 1.3 Equuleus

Nov 26 2018

zsdc created T1050: Wrong queue-limit for fair-queue.
Nov 26 2018, 9:01 PM · VyOS 1.2 Crux (VyOS 1.2.0-EPA3)

Nov 20 2018

zsdc added a comment to T1000: Broken 6rd tunnel implementation.

I will check fix soon.
By creating tunnels without remote side I mean something like:

ip tunnel add sit1 mode sit local 192.168.20.20 ttl 64

This is "vanilla way", as I understand.

Nov 20 2018, 9:44 PM · VyOS 1.3 Equuleus

Nov 18 2018

zsdc created T1025: Command "show routing table XX" don't work (FRRouting bug).
Nov 18 2018, 12:31 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc9)

Nov 15 2018

zsdc created T1018: Incorrect (obsoleted) option "dynamic" for NTP server.
Nov 15 2018, 10:05 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc8)

Nov 11 2018

zsdc created T1000: Broken 6rd tunnel implementation.
Nov 11 2018, 11:15 PM · VyOS 1.3 Equuleus

Oct 28 2018

zsdc added a comment to T945: Unable to change configuration after changing it from script (vbash + script-template).

@dmbaturin after some thinking about this problem I think that doing sg for all script is not a very good idea. There can be a situations, when we wan't to run it from other groups.
By now, I see two ways:

  • add additional parameter to executable option, that will define using script vbash with template or not;
  • move setting up right group to /opt/vyatta/etc/functions/script-template.

Second way seems more practical and easy for configuration migrations.

Oct 28 2018, 8:02 PM · VyOS 1.2 Crux (VyOS 1.2.1)
zsdc added a comment to T945: Unable to change configuration after changing it from script (vbash + script-template).

@syncer, thanks for hint. Works with:

[edit]
vyos@vyos# show system task-scheduler 
 task testtask01 {
     crontab-spec @reboot
     executable {
         arguments "vyattacfg /config/scripts/testscript01.script"
         path /usr/bin/sg
     }
 }
[edit]
vyos@vyos#

But this workaround is ugly a little bit (if we want to use arguments for example).
Maybe, better will be if VyOS will do this under the hood, without end-user engagement?

Oct 28 2018, 7:43 PM · VyOS 1.2 Crux (VyOS 1.2.1)
zsdc created T945: Unable to change configuration after changing it from script (vbash + script-template).
Oct 28 2018, 7:13 PM · VyOS 1.2 Crux (VyOS 1.2.1)