Scribd
Upload
32 views185 pages

Vyos

Uploaded by

Mistake Ivanovic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views185 pages

Vyos

Uploaded by

Mistake Ivanovic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 185

VyOS Documentation

Release 1.2.0-beta

VyOS maintainers and contributors

Apr 08, 2019


Contents:

1 Installation 3

2 Command-Line Interface 5

3 Quick Start Guide 7


3.1 Basic QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4 Configuration Overview 11

5 Network Interfaces 15
5.1 Interface Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.2 Dummy Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.3 Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.4 Wireless Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.5 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.6 Bonding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.7 Tunnel Interfaces (vti) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.8 VLAN Sub-Interfaces (802.1Q) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.9 QinQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.10 VXLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.11 WireGuard VPN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

6 Routing 31
6.1 Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.2 RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.3 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.4 BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6.5 ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

7 Policy Routing 37

8 Firewall 39
8.1 Zone-based Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
8.2 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
8.3 Rule-Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
8.4 Applying a Rule-Set to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
8.5 Applying a Rule-Set to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

i
8.6 Example Partial Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

9 NAT 43
9.1 Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
9.2 Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
9.3 1-to-1 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
9.4 1-to-1 NAT example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
9.5 NPTv6 (RFC6296) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
9.6 Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
9.7 VyOS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

10 VPN 49
10.1 OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
10.2 L2TP over IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
10.3 Site-to-Site IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
10.4 DMVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
10.5 PPTP-Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
10.6 WireGuard VPN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

11 QoS and Traffic Policy 67


11.1 Configuration nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
11.2 Traffic policies in VyOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
11.3 Ingress shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
11.4 Classful policies and traffic matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

12 Services 91
12.1 Conntrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
12.2 DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
12.3 DHCPv6 server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
12.4 DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
12.5 DNS Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
12.6 Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
12.7 LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
12.8 mDNS Repeater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
12.9 PPPoE server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
12.10 UDP broadcast relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
12.11 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
12.12 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
12.13 TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
12.14 Webproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

13 System 121
13.1 Event Handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
13.2 Flow Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
13.3 Host Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
13.4 System Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
13.5 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
13.6 Task scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
13.7 Config Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

14 High availability 129


14.1 Basic setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
14.2 IPv6 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
14.3 Disabling a VRRP group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
14.4 Setting VRRP group priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

ii
14.5 Preemption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
14.6 Unicast VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
14.7 Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

15 Clustering 133

16 System Image Management 135


16.1 Update VyOS Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

17 Command scripting 137


17.1 Run configuration commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
17.2 Run operational commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
17.3 Other script language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
17.4 Executing Configuration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

18 Appendix A - Troubleshooting 141


18.1 Basic Connectivity Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
18.2 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
18.3 Clear Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

19 Appendix B - Configuration Examples 147


19.1 VyOS DMVPN Hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

20 Appendix C - Command tree 151


20.1 Operational mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
20.2 Configuration mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

21 Bug Reports and Feature Requests 167


21.1 Bug Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
21.2 Feature Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

22 Development 169

23 VyOS CLI 171


23.1 Example XML File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
23.2 Configuration mode command definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
23.3 Mapping from the old node.def style to the new XML definitions . . . . . . . . . . . . . . . . . . . 175

24 Python coding guidelines 177


24.1 Configuration script structure and behaviour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
24.2 Coding guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
24.3 Code policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

iii
iv
VyOS Documentation, Release 1.2.0-beta

VyOS is an open source network operating system based on Debian GNU/Linux.


VyOS provides a free routing platform that competes directly with other commercially available solutions from well
known network providers. Because VyOS is run on standard amd64, i586 and ARM systems, it is able to be used as a
router and firewall platform for cloud deployments.

Contents: 1
VyOS Documentation, Release 1.2.0-beta

2 Contents:
CHAPTER 1

Installation

The latest ISO image for VyOS can be downloaded at https://www.vyos.net.


The recommended system requirements are 512 MiB RAM and 2 GiB storage.
The VyOS ISO is a Live CD and will boot to a functional VyOS image. To login to the system, use the default
username vyos with password vyos.
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent


permitted by applicable law.
vyos@vyos:~$

vyos@vyos:~$ uname -a
Linux vyos 4.18.11-amd64-vyos #23 SMP Mon Oct 1 17:29:22 CEST 2018 x86_64 GNU/Linux

Unlike general purpose Linux distributions, VyOS uses “image installation” that mimics the user experience of tradi-
tional hardware routers and allows you to keep multiple VyOS versions on the same machine and switch to a previous
version if something breaks after upgrade. Every version is contained in its own squashfs image that is mounted in a
union filesystem together with a directory for mutable data (configs etc.).

Note: Older versions used to support non-image installation (install system command). It’s been deprecated since
the time image installation was introduced (long before the fork), and does not provide any version management
capabilities. You should not use it for new installations even if it’s still available in new versions. You should not
worry about older systems installed that way though, they can be upgraded with add system image. In addition
the install system command has been removed in VyOS 1.2 (Crux).

To install VyOS, run install image.


vyos@vyos:~$ install image
Welcome to the VyOS install program. This script
(continues on next page)

3
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


will walk you through the process of installing the
VyOS image to a local hard drive.
Would you like to continue? (Yes/No) [Yes]: Yes
Probing drives: OK
Looking for pre-existing RAID groups...none found.
The VyOS image will require a minimum 2000MB root.
Would you like me to try to partition a drive automatically
or would you rather partition it manually with parted? If
you have already setup your partitions, you may skip this step

Partition (Auto/Parted/Skip) [Auto]:

I found the following drives on your system:


sda 4294MB

Install the image on? [sda]:

This will destroy all data on /dev/sda.


Continue? (Yes/No) [No]: Yes

How big of a root partition should I create? (2000MB - 4294MB) [4294]MB:

Creating filesystem on /dev/sda1: OK


Done!
Mounting /dev/sda1...
What would you like to name this image? [1.2.0-rolling+201809210337]:
OK. This image will be named: 1.2.0-rolling+201809210337
Copying squashfs image...
Copying kernel and initrd images...
Done!
I found the following configuration files:
/opt/vyatta/etc/config.boot.default
Which one should I copy to sda? [/opt/vyatta/etc/config.boot.default]:

Copying /opt/vyatta/etc/config.boot.default to sda.


Enter password for administrator account
Enter password for user 'vyos':
Retype password for user 'vyos':
I need to install the GRUB boot loader.
I found the following drives on your system:
sda 4294MB

Which drive should GRUB modify the boot partition on? [sda]:

Setting up grub: OK
Done!
vyos@vyos:~$

After the installation is complete, remove the Live CD and reboot the system:

vyos@vyos:~$ reboot
Proceed with reboot? (Yes/No) [No] Yes

4 Chapter 1. Installation
CHAPTER 2

Command-Line Interface

The VyOS CLI comprises an Operational mode and a Configuration mode.


Operational mode allows for commands to perform operational system tasks and view system and service status,
while configuration mode allows for the modification of system configuration. The command tree page lists available
commands and their functions.
The CLI provides a built-in help system. In the CLI the [?] key may be used to display available commands. The
[tab] key can be used to auto-complete commands and will present the help system upon a conflict or unknown value.
For example typing sh followed by the [tab] key will complete to show. Pressing [tab] a second time will display the
possible sub-commands of the show command.

vyos@vyos:~$ s[tab]
set show
vyos@vyos:~$

Example showing possible show commands:

vyos@vyos:~$ show [tab]


Possible completions:
arp Show Address Resolution Protocol (ARP) information
bridge Show bridging information
cluster Show clustering information
configuration Show running configuration
conntrack Show conntrack entries in the conntrack table
conntrack-sync
Show connection syncing information
date Show system date and time
dhcp Show Dynamic Host Configuration Protocol (DHCP) information
dhcpv6 Show status related to DHCPv6
disk Show status of disk device
dns Show Domain Name Server (DNS) information
file Show files for a particular image
firewall Show firewall information
flow-accounting
(continues on next page)

5
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


Show flow accounting statistics
hardware Show system hardware details
history show command history
host Show host information
incoming Show ethernet input-policy information
: q
vyos@vyos:~$

When the output of a command results in more lines than can be displayed on the terminal screen the output is
paginated as indicated by a : prompt.
When viewing in page mode the following commands are available:
• [q] key can be used to cancel output
• [space] will scroll down one page
• [b] will scroll back one page
• [return] will scroll down one line
• [up-arrow] and [down-arrow] will scroll up or down one line at a time respectively
• [left-arrow] and [right-arrow] can be used to scroll left or right in the event that the output has lines
which exceed the terminal size.
To enter configuration mode use the configure command:

vyos@vyos:~$ configure
[edit]
vyos@vyos:~#

Note: Prompt changes from $ to #. To exit configuration mode, type exit.

vyos@vyos:~# exit
exit
vyos@vyos:~$

See the configuration section of this document for more information on configuration mode.

6 Chapter 2. Command-Line Interface


CHAPTER 3

Quick Start Guide

Below is a very basic configuration example that will provide a NAT gateway for a device with two interfaces.
Enter configuration mode:

vyos@vyos$ configure
vyos@vyos#

Configure network interfaces:

set interfaces ethernet eth0 address dhcp


set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description 'INSIDE'

Enable SSH for remote management:

set service ssh port '22'

Configure Source NAT for our “Inside” network.

set nat source rule 100 outbound-interface 'eth0'


set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address masquerade

Configure a DHCP Server:

set service dhcp-server disabled 'false'


set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router
˓→'192.168.0.1'

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.


˓→168.0.1'

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name


˓→'internal-network'

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'


(continues on next page)

7
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start
˓→192.168.0.9

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop


˓→'192.168.0.254'

And a DNS forwarder:


Please note that the listen-on statement is deprecated. Please use listen-address instead!

set service dns forwarding cache-size '0'


set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'

Add a set of firewall policies for our “Outside” interface:

set firewall name OUTSIDE-IN default-action 'drop'


set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'

Apply the firewall policies:

set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'


set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'

Commit changes, save the configuration, and exit configuration mode:

vyos@vyos# commit
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
vyos@vyos# exit
vyos@vyos$

8 Chapter 3. Quick Start Guide


VyOS Documentation, Release 1.2.0-beta

3.1 Basic QoS

The traffic policy subsystem provides an interface to Linux traffic control (tc).
One common use of traffic policy is to limit bandwidth for an interface. In the example below we limit bandwidth for
our LAN connection to 200 Mbit download and out WAN connection to 50 Mbit upload:

set traffic-policy shaper WAN-OUT bandwidth '50Mbit'


set traffic-policy shaper WAN-OUT default bandwidth '50%'
set traffic-policy shaper WAN-OUT default ceiling '100%'
set traffic-policy shaper WAN-OUT default queue-type 'fair-queue'
set traffic-policy shaper LAN-OUT bandwidth '200Mbit'
set traffic-policy shaper LAN-OUT default bandwidth '50%'
set traffic-policy shaper LAN-OUT default ceiling '100%'
set traffic-policy shaper LAN-OUT default queue-type 'fair-queue'

Resulting in the following configuration:

traffic-policy {
shaper WAN-OUT {
bandwidth 50Mbit
default {
bandwidth 50%
ceiling 100%
queue-type fair-queue
}
}
shaper LAN-OUT {
bandwidth 200Mbit
default {
bandwidth 50%
ceiling 100%
queue-type fair-queue
}
}
}

Once defined, a traffic policy can be applied to each interface using the interface-level traffic-policy directive:

set interfaces ethernet eth0 traffic-policy out 'WAN-OUT'


set interfaces ethernet eth1 traffic-policy out 'LAN-OUT'

Note: A traffic policy can also be defined to match specific traffic flows using class statements.

VyOS 1.2 (Crux) also supports HFSC (set traffic-policy shaper-hfsc)


See further information in the QoS and Traffic Policy chapter.

3.1. Basic QoS 9


VyOS Documentation, Release 1.2.0-beta

10 Chapter 3. Quick Start Guide


CHAPTER 4

Configuration Overview

VyOS makes use of a unified configuration file for all system configuration: config.boot. This allows for easy template
creation, backup, and replication of system configuration.
The current configuration can be viewed using the show configuration command.
vyos@vyos:~$ show configuration
interfaces {
ethernet eth0 {
address dhcp
hw-id 00:0c:29:44:3b:0f
}
loopback lo {
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
login {
user vyos {
authentication {
encrypted-password ****************
}
level admin
}
(continues on next page)

11
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}
vyos@vyos:~$

Because configuration changes are made using set and delete commands, the commands to generate the active config-
uration can also be displayed using the show configuration commands command.

vyos@vyos:~$ show configuration commands


set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 hw-id '00:0c:29:44:3b:0f'
set interfaces loopback 'lo'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system login user vyos authentication encrypted-password '<removed>'
set system login user vyos level 'admin'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
vyos@vyos:~$

Configuration changes made do not take effect until committed using the commit command in configuration mode.

vyos@vyos# commit
[edit]
vyos@vyos# exit
Warning: configuration changes have not been saved.
vyos@vyos:~$

In order to preserve configuration changes upon reboot, the configuration must also be saved once applied. This is
done using the save command in configuration mode.

vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
[edit]
vyos@vyos#

12 Chapter 4. Configuration Overview


VyOS Documentation, Release 1.2.0-beta

The show command within configuration mode will show the current configuration indicating line changes with a +
for additions and a - for deletions.
vyos@vyos:~$ configure
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
address dhcp
hw-id 00:0c:29:44:3b:0f
}
loopback lo {
}
[edit]
vyos@vyos# set interfaces ethernet eth0 description 'OUTSIDE'
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
address dhcp
+ description OUTSIDE
hw-id 00:0c:29:44:3b:0f
}
loopback lo {
}
[edit]
vyos@vyos#

Configuration mode can not be exited while uncommitted changes exist. To exit configuration mode without applying
changes, the exit discard command can be used.
vyos@vyos# exit
Cannot exit: configuration modified.
Use 'exit discard' to discard the changes and exit.
[edit]
vyos@vyos# exit discard
exit
vyos@vyos:~$

VyOS also maintains backups of previous configurations. To compare configuration revisions in configuration mode,
use the compare command:
vyos@vyos# compare [tab]
Possible completions:
<Enter> Compare working & active configurations
saved Compare working & saved configurations
<N> Compare working with revision N
<N> <M> Compare revision N with M
Revisions:
0 2013-12-17 20:01:37 root by boot-config-loader
1 2013-12-13 15:59:31 root by boot-config-loader
2 2013-12-12 21:56:22 vyos by cli
3 2013-12-12 21:55:11 vyos by cli
4 2013-12-12 21:27:54 vyos by cli
5 2013-12-12 21:23:29 vyos by cli
6 2013-12-12 21:13:59 root by boot-config-loader
7 2013-12-12 16:25:19 vyos by cli
8 2013-12-12 15:44:36 vyos by cli
9 2013-12-12 15:42:07 root by boot-config-loader
10 2013-12-12 15:42:06 root by init
(continues on next page)

13
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)

[edit]
vyos@vyos#

You can rollback configuration using the rollback command, however this command will currently trigger a system
reboot.

vyos@vyos# compare 1
[edit system]
>host-name vyos-1
[edit]
vyos@vyos# rollback 1
Proceed with reboot? [confirm][y]
Broadcast message from root@vyos-1 (pts/0) (Tue Dec 17 21:07:45 2013):
The system is going down for reboot NOW!
[edit]
vyos@vyos#

VyOS also supports saving and loading configuration remotely using SCP, FTP, or TFTP.

vyos@vyos# save [tab]


Possible completions:
<Enter> Save to system config file
<file> Save to file on local machine
scp://<user>:<passwd>@<host>/<file> Save to file on remote machine
ftp://<user>:<passwd>@<host>/<file> Save to file on remote machine
tftp://<host>/<file> Save to file on remote machine
vyos@vyos# save tftp://192.168.0.100/vyos-test.config.boot
Saving configuration to 'tftp://192.168.0.100/vyos-test.config.boot'...
######################################################################## 100.0%
Done

14 Chapter 4. Configuration Overview


CHAPTER 5

Network Interfaces

Configured interfaces on a VyOS system can be displayed using the show interfaces command.

vyos@vyos:~$ show interfaces


Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.16.51.129/24 u/u OUTSIDE
eth1 192.168.0.1/24 u/u INSIDE
lo 127.0.0.1/8 u/u
::1/128
vyos@vyos:~$

A specific interface can be shown using the show interfaces <type> <name> command.

vyos@vyos:~$ show interfaces ethernet eth0


eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:44:3b:0f brd ff:ff:ff:ff:ff:ff
inet 172.16.51.129/24 brd 172.16.51.255 scope global eth0
inet6 fe80::20c:29ff:fe44:3b0f/64 scope link
valid_lft forever preferred_lft forever
Description: OUTSIDE

RX: bytes packets errors dropped overrun mcast


274397 3064 0 0 0 0
TX: bytes packets errors dropped carrier collisions
257276 1890 0 0 0 0
vyos@vyos:~$

Different network interfaces provide type-specific configuration. Ethernet interfaces, for example, allow the configu-
ration of speed and duplex.
Many services, such as network routing, firewall, and traffic policy also maintain interface-specific configuration.
These will be covered in their respective sections.

15
VyOS Documentation, Release 1.2.0-beta

5.1 Interface Addresses

Each interface can be configured with a description and address. Interface addresses might be:
• Static IPv4 address 172.16.51.129/24
• Static IPv6 address 2001:db8:1::ffff/64
• DHCP IPv4 address dhcp
• DHCP IPv6 address dhcpv6
An interface description is assigned using the following command:

set interfaces ethernet eth0 description 'OUTSIDE'

5.1.1 IPv4

Static Address

This method is supported on all interfaces, apart from OpenVPN that uses different syntax and wireless modems that
are always autoconfigured through PPP.
The command is set interfaces $type $name address $address. Examples:

set interfaces ethernet eth0 address 192.0.2.1/24


set interfaces tunnel tun0 address 10.0.0.1/30
set interfaces bridge br0 address 203.0.113.45/26
set interfaces ethernet eth0 vif 30 address 192.0.30.254/24

DHCP

This method is supported on all physical interfaces, and those that are directly connected to a physical interface
(ethernet, VLAN, bridge, bond, pseudo-ethernet, wireless).
The command is set interfaces $type $name address dhcp. Examples:

set interfaces ethernet eth0 vif 90 address dhcp


set interfaces bridge br0 address dhcp

5.1.2 IPv6

Static Address

This method is supported on all interfaces, apart from OpenVPN that uses different syntax and wireless modems that
are always autoconfigured through PPP. Static IPv6 addresses are supported on all interfaces except Tunnel Interfaces
(vti).
The command is set interfaces $type $name address $address. Examples:

set interfaces ethernet eth0 address 2001:db8:100::ffff/64


set interfaces tunnel tun0 address 2001:db8::1/64
set interfaces bridge br0 address 2001:db8:200::1/64
set interfaces ethernet eth0 vif 30 address 2001:db8:3::ffff/64

16 Chapter 5. Network Interfaces


VyOS Documentation, Release 1.2.0-beta

DHCP

This method is supported on all physical interfaces, and those that are directly connected to a physical interface
(ethernet, VLAN, bridge, bond, pseudo-ethernet, wireless).
The command is set interfaces $type $name address dhcpv6. Examples:

set interfaces bonding bond1 address dhcpv6


set interfaces bridge br0 vif 56 address dhcpv6

Autoconfiguration (SLAAC)

SLAAC is specified in RFC4862. This method is supported on all physical interfaces, and those that are directly
connected to a physical interface (ethernet, VLAN, bridge, bond, pseudo-ethernet, wireless).
The command is set interfaces $type $name ipv6 address autoconf. Examples:

set interfaces ethernet eth0 vif 90 ipv6 address autoconf


set interfaces bridge br0 ipv6 address autoconf

Note: This method automatically disables IPv6 traffic forwarding on the interface in question.

EUI-64

EUI-64 (64-Bit Extended Unique Identifier) as specified in RFC4291. IPv6 addresses in /64 networks can be automat-
ically generated from the prefix and MAC address, if you specify the prefix.
The command is set interfaces $type $name ipv6 address eui64 $prefix. Examples:

set interfaces bridge br0 ipv6 address eui64 2001:db8:beef::/64


set interfaces pseudo-ethernet peth0 ipv6 address eui64 2001:db8:aa::/64

5.2 Dummy Interfaces

Dummy interfaces — much like the loopback, except you can have as many as you want. Dummy interfaces can be
used as interfaces that always stay up (in the same fashion to loopbacks in IOS), or for testing purposes.
Configuration commands:

interfaces
dummy <dum[0-999]>
+ address IP address
description Description
disable Disable interface
> ip IPv4 routing parameters
> ipv6 IPv6 routing parameters
redirect Incoming packet redirection destination
> traffic-policy Traffic-policy for interface

5.2. Dummy Interfaces 17


VyOS Documentation, Release 1.2.0-beta

5.3 Ethernet Interfaces

Ethernet interfaces allow for the configuration of speed, duplex, and hw-id (MAC address). Below is an example
configuration:
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 address '2001:db8:1::ffff/64'
set interfaces ethernet eth1 description 'INSIDE'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 speed 'auto'

Resulting in:
ethernet eth1 {
address 192.168.0.1/24
address 2001:db8:1::ffff/64
description INSIDE
duplex auto
hw-id 00:0c:29:44:3b:19
smp_affinity auto
speed auto
}

In addition, Ethernet interfaces provide the extended operational commands show interfaces ethernet <name> physical
and show interfaces ethernet <name> statistics. Statistics available are driver dependent.
vyos@vyos:~$ show interfaces ethernet eth0 physical
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: Unknown
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
Link detected: yes
driver: e1000
version: 7.3.21-k8-NAPI
firmware-version:
bus-info: 0000:02:01.0

vyos@vyos:~$ show interfaces ethernet eth0 statistics


NIC statistics:
rx_packets: 3530
(continues on next page)

18 Chapter 5. Network Interfaces


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


tx_packets: 2179
[...]

5.4 Wireless Interfaces

Wireless, for example WiFi 802.11 b/g/n, interfaces allow for connection to WiFi networks or act as an access-point.
If your device is configurable it will appear as wlan in show interfaces.
To be able to use the wireless interfaces you will first need to set a regulatory domain with the country code of your
locaion.
set system wifi-regulatory-domain SE

An example on how to set it up as an access point:


set interfaces wireless wlan0 address '192.168.99.1/24'
set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 ssid '<your ssid>'
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa passphrase '<your passphrase>'

Resulting in
interfaces {
[...]
wireless wlan0 {
address 192.168.99.1/24
channel 1
mode g
security {
wpa {
cipher CCMP
mode wpa2
passphrase "<your passphrase>"
}
}
ssid "<your ssid>"
type access-point
}
}
system {
[...]
wifi-regulatory-domain SE
}

To get it to work as a access point with this configuration you will need to set up a DHCP server to work with that
network.

5.5 Bridging

Interfaces in VyOS can be bridged together to provide software switching of Layer-2 traffic.

5.4. Wireless Interfaces 19


VyOS Documentation, Release 1.2.0-beta

A bridge is created when a bridge interface is defined. In the example below we will be creating a bridge for VLAN
100 and assigning a VIF to the bridge.
set interfaces bridge 'br100'
set interfaces ethernet eth1 vif 100 bridge-group bridge br100

Interfaces assigned to a bridge-group do not have address configuration. An IP address can be assigned to the bridge
interface itself, however, like any normal interface.
set interfaces bridge br100 address '192.168.100.1/24'
set interfaces bridge br100 address '2001:db8:100::1/64'

Example Result:
bridge br100 {
address 192.168.100.1/24
address 2001:db8:100::1/64
}
[...]
ethernet eth1 {
[...]
vif 100 {
bridge-group {
bridge br100
}
}
}

In addition to normal IP interface configuration, bridge interfaces support Spanning-Tree Protocol. STP is disabled by
default.

Note: Please use caution when introducing spanning-tree protocol on a network as it may result in topology changes.

To enable spanning-tree use the set interfaces bridge <name> stp true command:
set interfaces bridge br100 stp true

STP priority, forwarding-delay, hello-time, and max-age can be configured for the bridge-group. The MAC aging
time can also be configured using the aging directive.
For member interfaces, the bridge-group priority and cost can be configured.
The show bridge operational command can be used to display configured bridges:
vyos@vyos:~$ show bridge
bridge name bridge id STP enabled interfaces
br100 0000.000c29443b19 yes eth1.100

If spanning-tree is enabled, the show bridge <name> spanning-tree command can be used to show STP configuration:
vyos@vyos:~$ show bridge br100 spanning-tree
br100
bridge id 0000.000c29443b19
designated root 0000.000c29443b19
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 2.00 bridge hello time 2.00
(continues on next page)

20 Chapter 5. Network Interfaces


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


forward delay 15.00 bridge forward delay 15.00
ageing time 300.00
hello timer 0.47 tcn timer 0.00
topology change timer 0.00 gc timer 64.63
flags

eth1.100 (1)
port id 8001 state forwarding
designated root 0000.000c29443b19 path cost 4
designated bridge 0000.000c29443b19 message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags

The MAC address-table for a bridge can be displayed using the show bridge <name> macs command:

vyos@vyos:~$ show bridge br100 macs


port no mac addr is local? ageing timer
1 00:0c:29:44:3b:19 yes 0.00

5.6 Bonding

You can combine (aggregate) 2 or more physical interfaces into a single logical one. It’s called bonding, or LAG, or
ether-channel, or port-channel.
Create interface bondX, where X is just a number:

set interfaces bonding bond0 description 'my-sw1 int 23 and 24'

You are able to choose a hash policy:

vyos@vyos# set interfaces bonding bond0 hash-policy


Possible completions:
layer2 use MAC addresses to generate the hash (802.3ad)
layer2+3 combine MAC address and IP address to make hash
layer3+4 combine IP address and port to make hash

For example:

set interfaces bonding bond0 hash-policy 'layer2'

You may want to set IEEE 802.3ad Dynamic link aggregation (802.3ad) AKA LACP (don’t forget to setup it on the
other end of these links):

set interfaces bonding bond0 mode '802.3ad'

or some other modes:

vyos@vyos# set interfaces bonding bond0 mode


Possible completions:
802.3ad IEEE 802.3ad Dynamic link aggregation (Default)
active-backup
Fault tolerant: only one slave in the bond is active
broadcast Fault tolerant: transmits everything on all slave interfaces
(continues on next page)

5.6. Bonding 21
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


round-robin Load balance: transmit packets in sequential order
transmit-load-balance
Load balance: adapts based on transmit load and speed
adaptive-load-balance
Load balance: adapts based on transmit and receive plus ARP
xor-hash Load balance: distribute based on MAC address

Now bond some physical interfaces into bond0:

set interfaces ethernet eth0 bond-group 'bond0'


set interfaces ethernet eth0 description 'member of bond0'
set interfaces ethernet eth1 bond-group 'bond0'
set interfaces ethernet eth1 description 'member of bond0'

After a commit you may treat bond0 as almost a physical interface (you can’t change its‘ duplex, for example) and
assign IPs or VIFs on it.
You may check the result:

vyos@vyos# run sh interfaces bonding


Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
bond0 - u/u my-sw1 int 23 and 24
bond0.10 192.168.0.1/24 u/u office-net
bond0.100 10.10.10.1/24 u/u management-net

5.7 Tunnel Interfaces (vti)

Set Virtual Tunnel interface

set interfaces vti vti0 address 192.168.2.249/30


set interfaces vti vti0 address 2001:db8:2::249/64

Results in:

vyos@vyos# show interfaces vti


vti vti0 {
address 192.168.2.249/30
address 2001:db8:2::249/64
description "Description"
}

5.8 VLAN Sub-Interfaces (802.1Q)

802.1Q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is vif. Configuration
of a tagged sub-interface is accomplished using the configuration command set interfaces ethernet <name> vif <vlan-
id>.

set interfaces ethernet eth1 vif 100 description 'VLAN 100'


set interfaces ethernet eth1 vif 100 address '192.168.100.1/24'
set interfaces ethernet eth1 vif 100 address '2001:db8:100::1/64'

22 Chapter 5. Network Interfaces


VyOS Documentation, Release 1.2.0-beta

Resulting in:
ethernet eth1 {
address 192.168.100.1/24
address 2001:db8:100::1/64
description INSIDE
duplex auto
hw-id 00:0c:29:44:3b:19
smp_affinity auto
speed auto
vif 100 {
address 192.168.100.1/24
description "VLAN 100"
}
}

VLAN interfaces are shown as <name>.<vlan-id>, e.g. eth1.100:


vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.16.51.129/24 u/u OUTSIDE
eth1 192.168.0.1/24 u/u INSIDE
eth1.100 192.168.100.1/24 u/u VLAN 100
lo 127.0.0.1/8 u/u
::1/128

5.9 QinQ

QinQ (802.1ad) — allows multiple VLAN tags to be inserted into a single frame.
QinQ can be used to tunnel vlans in a vlan.
vif-s and vif-c stand for the ethertype tags that get set:
The inner tag is the tag which is closest to the payload portion of the frame; it is officially called C-TAG (Customer
tag, with ethertype 0x8100). The outer tag is the one closer/closest to the Ethernet header; its name is S-TAG (Service
tag, ethertype 0x88a8).
Configuration commands:
interfaces
ethernet <eth[0-999]>
address <ipv4>
address <ipv6>
description <txt>
disable
ip
<usual IP options>
ipv6
<usual IPv6 options>
vif-s <[0-4096]>
address <ipv4>
address <ipv6>
description <txt>
disable
(continues on next page)

5.9. QinQ 23
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


ip
<usual IP options>
ipv6
<usual IPv6 options>
vif-c <[0-4096]>
address <ipv4>
address <ipv6>
description <txt>
disable
ip
<usual IP options>
ipv6
<usual IPv6 options>

Example:

set interfaces ethernet eth0 vif-s 333


set interfaces ethernet eth0 vif-s 333 address 192.0.2.10/32
set interfaces ethernet eth0 vif-s 333 vif-c 777
set interfaces ethernet eth0 vif-s 333 vif-c 777 address 10.10.10.10/24

5.10 VXLAN

VXLAN is an overlaying Ethernet over IP protocol. It is described in RFC73481 .


If configuring VXLAN in a VyOS virtual machine, ensure that MAC spoofing (Hyper-V) or Forged Transmits (ESX)
are permitted, otherwise forwarded frames may be blocked by the hypervisor.

5.10.1 Multicast VXLAN

Example Topology:
PC4 - Leaf2 - Spine1 - Leaf3 - PC5
PC4 has IP 10.0.0.4/24 and PC5 has IP 10.0.0.5/24, so they believe they are in the same broadcast domain.
Let’s assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3 as our remote end manually, Leaf2
encapsulates the packet into a UDP-packet and sends it to its designated multicast-address via Spine1. When Spine1
receives this packet it forwards it to all other Leafs who has joined the same multicast-group, in this case Leaf3. When
Leaf3 receives the packet it forwards it, while at the same time learning that PC4 is reachable behind Leaf2, because
the encapsulated packet had Leaf2’s IP-address set as source IP.
PC5 receives the ping echo, responds with an echo reply that Leaf3 receives and this time forwards to Leaf2’s unicast
address directly because it learned the location of PC4 above. When Leaf2 receives the echo reply from PC5 it sees
that it came from Leaf3 and so remembers that PC5 is reachable via Leaf3.
Thanks to this discovery, any subsequent traffic between PC4 and PC5 will not be using the multicast-address between
the Leafs as they both know behind which Leaf the PCs are connected. This saves traffic as less multicast packets sent
reduces the load on the network, which improves scalability when more Leafs are added.
For optimal scalability Multicast shouldn’t be used at all, but instead use BGP to signal all connected devices between
leafs. Unfortunately, VyOS does not yet support this.
1 https://datatracker.ietf.org/doc/rfc7348/

24 Chapter 5. Network Interfaces


VyOS Documentation, Release 1.2.0-beta

5.10.2 Configuration commands

interfaces
vxlan <vxlan[0-16777215]>
address # IP address of the VXLAN interface
bridge-group # Configure a L2 bridge-group
description # Description
group <ipv4> # IPv4 Multicast group address (required)
ip # IPv4 routing options
ipv6 # IPv6 routing options
link <dev> # IP interface for underlay of this vxlan overlay (optional)
mtu # MTU
policy # Policy routing options
remote # Remote address of the VXLAN tunnel, used for PTP instead of
˓→multicast

vni <1-16777215> # Virtual Network Identifier (required)

5.10.3 Configuration Example

The setup is this:


Leaf2 - Spine1 - Leaf3
Spine1 is a Cisco IOS router running version 15.4, Leaf2 and Leaf3 is each a VyOS router running 1.2.
This topology was built using GNS3.
Topology:

Spine1:
fa0/2 towards Leaf2, IP-address: 10.1.2.1/24
fa0/3 towards Leaf3, IP-address: 10.1.3.1/24

Leaf2:
Eth0 towards Spine1, IP-address: 10.1.2.2/24
Eth1 towards a vlan-aware switch

Leaf3:
Eth0 towards Spine1, IP-address 10.1.3.3/24
Eth1 towards a vlan-aware switch

Spine1 Configuration:

conf t
ip multicast-routing
!
interface fastethernet0/2
ip address 10.1.2.1 255.255.255.0
ip pim sparse-dense-mode
!
interface fastethernet0/3
ip address 10.1.3.1 255.255.255.0
ip pim sparse-dense-mode
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 0

5.10. VXLAN 25
VyOS Documentation, Release 1.2.0-beta

Multicast-routing is required for the leafs to forward traffic between each other in a more scalable way. This also
requires PIM to be enabled towards the Leafs so that the Spine can learn what multicast groups each Leaf expect
traffic from.
Leaf2 configuration:

set interfaces ethernet eth0 address '10.1.2.2/24'


set protocols ospf area 0 network '10.0.0.0/8'

! Our first vxlan interface


set interfaces bridge br241 address '172.16.241.1/24'
set interfaces ethernet eth1 vif 241 bridge-group bridge 'br241'
set interfaces vxlan vxlan241 bridge-group bridge 'br241'
set interfaces vxlan vxlan241 group '239.0.0.241'
set interfaces vxlan vxlan241 link 'eth0'
set interfaces vxlan vxlan241 vni '241'

! Our seconds vxlan interface


set interfaces bridge br242 address '172.16.242.1/24'
set interfaces ethernet eth1 vif 242 bridge-group bridge 'br242'
set interfaces vxlan vxlan242 bridge-group bridge 'br242'
set interfaces vxlan vxlan242 group '239.0.0.242'
set interfaces vxlan vxlan242 link 'eth0'
set interfaces vxlan vxlan242 vni '242'

Leaf3 configuration:

set interfaces ethernet eth0 address '10.1.3.3/24'


set protocols ospf area 0 network '10.0.0.0/8'

! Our first vxlan interface


set interfaces bridge br241 address '172.16.241.1/24'
set interfaces ethernet eth1 vif 241 bridge-group bridge 'br241'
set interfaces vxlan vxlan241 bridge-group bridge 'br241'
set interfaces vxlan vxlan241 group '239.0.0.241'
set interfaces vxlan vxlan241 link 'eth0'
set interfaces vxlan vxlan241 vni '241'

! Our seconds vxlan interface


set interfaces bridge br242 address '172.16.242.1/24'
set interfaces ethernet eth1 vif 242 bridge-group bridge 'br242'
set interfaces vxlan vxlan242 bridge-group bridge 'br242'
set interfaces vxlan vxlan242 group '239.0.0.242'
set interfaces vxlan vxlan242 link 'eth0'
set interfaces vxlan vxlan242 vni '242'

As you can see, Leaf2 and Leaf3 configuration is almost identical. There are lots of commands above, I’ll try to into
more detail below, command descriptions are placed under the command boxes:

set interfaces bridge br241 address '172.16.241.1/24'

This commands creates a bridge that is used to bind traffic on eth1 vlan 241 with the vxlan241-interface. The IP-
address is not required. It may however be used as a default gateway for each Leaf which allows devices on the vlan to
reach other subnets. This requires that the subnets are redistributed by OSPF so that the Spine will learn how to reach
it. To do this you need to change the OSPF network from ‘10.0.0.0/8’ to ‘0.0.0.0/0’ to allow 172.16/12-networks to be
advertised.

26 Chapter 5. Network Interfaces


VyOS Documentation, Release 1.2.0-beta

set interfaces ethernet eth1 vif 241 bridge-group bridge 'br241'


set interfaces vxlan vxlan241 bridge-group bridge 'br241'

Binds eth1 vif 241 and vxlan241 to each other by putting them in the same bridge-group. Internal VyOS requirement.

set interfaces vxlan vxlan241 group '239.0.0.241'

The multicast-group used by all Leafs for this vlan extension. Has to be the same on all Leafs that has this interface.

set interfaces vxlan vxlan241 link 'eth0'

Sets the interface to listen for multicast packets on. Could be a loopback, not yet tested.

set interfaces vxlan vxlan241 vni '241'

Sets the unique id for this vxlan-interface. Not sure how it correlates with multicast-address.

set interfaces vxlan vxlan241 remote-port 12345

The destination port used for creating a VXLAN interface in Linux defaults to its pre-standard value of 8472 to
preserve backwards compatibility. A configuration directive to support a user-specified destination port to override
that behavior is available using the above command.

5.10.4 Older Examples

Example for bridging normal L2 segment and vxlan overlay network, and using a vxlan interface as routing interface.

interfaces {
bridge br0 {
}
ethernet eth0 {
address dhcp
}
loopback lo {
}
vxlan vxlan0 {
bridge-group {
bridge br0
}
group 239.0.0.1
vni 0
}
vxlan vxlan1 {
address 192.168.0.1/24
link eth0
group 239.0.0.1
vni 1
}
}

Here is a working configuration that creates a VXLAN between two routers. Each router has a VLAN interface (26)
facing the client devices and a VLAN interface (30) that connects it to the other routers. With this configuration,
traffic can flow between both routers’ VLAN 26, but can’t escape since there is no L3 gateway. You can add an IP to
a bridge-group to create a gateway.

5.10. VXLAN 27
VyOS Documentation, Release 1.2.0-beta

interfaces {
bridge br0 {
}
ethernet eth0 {
duplex auto
smp-affinity auto
speed auto
vif 26 {
bridge-group {
bridge br0
}
}
vif 30 {
address 10.7.50.6/24
}
}
loopback lo {
}
vxlan vxlan0 {
bridge-group {
bridge br0
}
group 239.0.0.241
vni 241
}
}

5.11 WireGuard VPN Interface

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. See https:
//www.wireguard.com for more information.

5.11.1 Configuration

Generate the keypair, which creates a public and private part and stores it within VyOS.

wg01:~$ configure
wg01# run generate wireguard keypair

The public key is being shared with your peer(s), your peer will encrypt all traffic to your system using this public key.

wg01# run show wireguard pubkey


u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=

The next step is to configure your local side as well as the policy based trusted destination addresses. If you only
initiate a connection, the listen port and endpoint is optional, if you however act as a server and endpoints initiate the
connections to your system, you need to define a port your clients can connect to, otherwise it’s randomly chosen and
may make it difficult with firewall rules, since the port may be a different one when you reboot your system.
You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure
a wireguard tunnel. The public key below is always the public key from your peer, not your local one.
local side

28 Chapter 5. Network Interfaces


VyOS Documentation, Release 1.2.0-beta

set interfaces wireguard wg01 address '10.1.0.1/24'


set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24'
set interfaces wireguard wg01 peer to-wg02 endpoint '192.168.0.142:12345'
set interfaces wireguard wg01 peer to-wg02 pubkey
˓→'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='

set interfaces wireguard wg01 port '12345'


set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01

The last step is to define an interface route for 10.2.0.0/24 to get through the wireguard interface wg01. Multiple IPs
or networks can be defined and routed, the last check is allowed-ips which either prevents or allows the traffic.
remote side

set interfaces wireguard wg01 address '10.2.0.1/24'


set interfaces wireguard wg01 description 'VPN-to-wg01'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24'
set interfaces wireguard wg01 peer to-wg02 endpoint '192.168.0.124:12345'
set interfaces wireguard wg01 peer to-wg02 pubkey
˓→'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='

set interfaces wireguard wg01 port '12345'


set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01

Assure that your firewall rules allow the traffic, in which case you have a working VPN using wireguard.

wg01# ping 10.2.0.1


PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms
64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms

wg02# ping 10.1.0.1


PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms
64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms

An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto, which is optional.

wg01# run generate wireguard preshared-key


rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=

Copy the key, it is not stored on the local file system. Make sure you distribute that key in a safe manner, it’s a
symmatric key, so only you and your peer should have knowledge if its content.

wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key


˓→'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='

wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key


˓→'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='

operational commands

vyos@wg01# show interfaces wireguard wg01

interface: wg01
public key: xHvgSJC8RTClfvjc0oX6OALxU6GGLapjthjw7x82CSw=
private key: (hidden)
listening port: 12345

(continues on next page)

5.11. WireGuard VPN Interface 29


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


peer: 9Ek3R30mG6Vk+GHsENtPF0b9Ul+ftxx4dDBa1bdBxX8=
endpoint: 192.168.0.142:12345
allowed ips: 10.2.0.0/24
latest handshake: 4 minutes, 22 seconds ago
transfer: 860 B received, 948 B sent

30 Chapter 5. Network Interfaces


CHAPTER 6

Routing

VyOS is a “router first” network operating system. It supports static routing, policy routing, and dynamic routing
using standard protocols (RIP, OSPF, and BGP).

6.1 Static

Static routes are manually configured network routes.


A typical use for a static route is a static default route for systems that do not make use of DHCP or dynamic routing
protocols:

set protocols static route 0.0.0.0/0 next-hop 10.1.1.1 distance '1'

Another common use of static routes is to blackhole (drop) traffic. In the example below, RFC 1918 private IP networks
are set as blackhole routes. This does not prevent networks within these segments from being used, since the most
specific route is always used. It does, however, prevent traffic to unknown private networks from leaving the router.
Commonly refereed to as leaking.

set protocols static route 10.0.0.0/8 blackhole distance '254'


set protocols static route 172.16.0.0/12 blackhole distance '254'
set protocols static route 192.168.0.0/16 blackhole distance '254'

Note: Routes with a distance of 255 are effectively disabled and not installed into the kernel.

6.2 RIP

Simple RIP configuration using 2 nodes and redistributing connected interfaces.


Node 1:

31
VyOS Documentation, Release 1.2.0-beta

set interfaces loopback address 10.1.1.1/32


set protocols rip network 192.168.0.0/24
set protocols rip redistribute connected

Node 2:

set interfaces loopback address 10.2.2.2/32


set protocols rip network 192.168.0.0/24
set protocols rip redistribute connected

6.3 OSPF

6.3.1 IPv4

A typical configuration using 2 nodes, redistribute loopback address and the node 1 sending the default route:
Node 1:

set interfaces loopback lo address 10.1.1.1/32


set protocols ospf area 0 network 192.168.0.0/24
set protocols ospf default-information originate always
set protocols ospf default-information originate metric 10
set protocols ospf default-information originate metric-type 2
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 10.1.1.1
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map CONNECT

set policy route-map CONNECT rule 10 action permit


set policy route-map CONNECT rule 10 match interface lo

Node 2:

set interfaces loopback lo address 10.2.2.2/32


set protocols ospf area 0 network 192.168.0.0/24
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 10.2.2.2
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map CONNECT

set policy route-map CONNECT rule 10 action permit


set policy route-map CONNECT rule 10 match interface lo

6.3.2 IPv6

A typical configuration using 2 nodes.


Node 1:

set protocols ospfv3 area 0.0.0.0 interface eth1


set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64
set protocols ospfv3 parameters router-id 192.168.1.1
set protocols ospfv3 redistribute connected

32 Chapter 6. Routing
VyOS Documentation, Release 1.2.0-beta

Node 2:

set protocols ospfv3 area 0.0.0.0 interface eth1


set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64
set protocols ospfv3 parameters router-id 192.168.2.1
set protocols ospfv3 redistribute connected

6.4 BGP

6.4.1 IPv4

A simple eBGP configuration:


Node 1:

set protocols bgp 65534 neighbor 192.168.0.2 ebgp-multihop '2'


set protocols bgp 65534 neighbor 192.168.0.2 remote-as '65535'
set protocols bgp 65534 neighbor 192.168.0.2 update-source '192.168.0.1'
set protocols bgp 65534 address-family ipv4-unicast network '172.16.0.0/16'
set protocols bgp 65534 parameters router-id '192.168.0.1'

Node 2:

set protocols bgp 65535 neighbor 192.168.0.1 ebgp-multihop '2'


set protocols bgp 65535 neighbor 192.168.0.1 remote-as '65534'
set protocols bgp 65535 neighbor 192.168.0.1 update-source '192.168.0.2'
set protocols bgp 65535 address-family ipv4-unicast network '172.17.0.0/16'
set protocols bgp 65535 parameters router-id '192.168.0.2'

Don’t forget, the CIDR declared in the network statement MUST exist in your routing table (dynamic or static),
the best way to make sure that is true is creating a static route:
Node 1:

set protocols static route 1.0.0.0/16 blackhole distance '254'

Node 2:

set protocols static route 2.0.0.0/16 blackhole distance '254'

6.4.2 IPv6

A simple BGP configuration via IPv6.


Node 1:

set protocols bgp 65534 neighbor 2001:db8::2 ebgp-multihop '2'


set protocols bgp 65534 neighbor 2001:db8::2 remote-as '65535'
set protocols bgp 65534 neighbor 2001:db8::2 update-source '2001:db8::1'
set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast
set protocols bgp 65534 address-family ipv6-unicast network '2001:db8:1::/48'
set protocols bgp 65534 parameters router-id '10.1.1.1'

Node 2:

6.4. BGP 33
VyOS Documentation, Release 1.2.0-beta

set protocols bgp 65535 neighbor 2001:db8::1 ebgp-multihop '2'


set protocols bgp 65535 neighbor 2001:db8::1 remote-as '65534'
set protocols bgp 65535 neighbor 2001:db8::1 update-source '2001:db8::2'
set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast
set protocols bgp 65535 address-family ipv6-unicast network '2001:db8:2::/48'
set protocols bgp 65535 parameters router-id '10.1.1.2'

Don’t forget, the CIDR declared in the network statement MUST exist in your routing table (dynamic or static),
the best way to make sure that is true is creating a static route:
Node 1:

set protocols static route6 2a001:100:1::/48 blackhole distance '254'

Node 2:

set protocols static route6 2001:db8:2::/48 blackhole distance '254'

6.4.3 Route Filter

Route filter can be applied using a route-map:


Node1:

set policy prefix-list AS65535-IN rule 10 action 'permit'


set policy prefix-list AS65535-IN rule 10 prefix '172.16.0.0/16'
set policy prefix-list AS65535-OUT rule 10 action 'deny'
set policy prefix-list AS65535-OUT rule 10 prefix '172.16.0.0/16'
set policy prefix-list6 AS65535-IN rule 10 action 'permit'
set policy prefix-list6 AS65535-IN rule 10 prefix '2001:db8:2::/48'
set policy prefix-list6 AS65535-OUT rule 10 action 'deny'
set policy prefix-list6 AS65535-OUT rule 10 prefix '2001:db8:2::/48'
set policy route-map AS65535-IN rule 10 action 'permit'
set policy route-map AS65535-IN rule 10 match ip address prefix-list 'AS65535-IN'
set policy route-map AS65535-IN rule 10 match ipv6 address prefix-list 'AS65535-IN'
set policy route-map AS65535-IN rule 20 action 'deny'
set policy route-map AS65535-OUT rule 10 action 'deny'
set policy route-map AS65535-OUT rule 10 match ip address prefix-list 'AS65535-OUT'
set policy route-map AS65535-OUT rule 10 match ipv6 address prefix-list 'AS65535-OUT'
set policy route-map AS65535-OUT rule 20 action 'permit'
set protocols bgp 65534 neighbor 2001:db8::2 route-map export 'AS65535-OUT'
set protocols bgp 65534 neighbor 2001:db8::2 route-map import 'AS65535-IN'

Node2:

set policy prefix-list AS65534-IN rule 10 action 'permit'


set policy prefix-list AS65534-IN rule 10 prefix '172.17.0.0/16'
set policy prefix-list AS65534-OUT rule 10 action 'deny'
set policy prefix-list AS65534-OUT rule 10 prefix '172.17.0.0/16'
set policy prefix-list6 AS65534-IN rule 10 action 'permit'
set policy prefix-list6 AS65534-IN rule 10 prefix '2001:db8:1::/48'
set policy prefix-list6 AS65534-OUT rule 10 action 'deny'
set policy prefix-list6 AS65534-OUT rule 10 prefix '2001:db8:1::/48'
set policy route-map AS65534-IN rule 10 action 'permit'
set policy route-map AS65534-IN rule 10 match ip address prefix-list 'AS65534-IN'
set policy route-map AS65534-IN rule 10 match ipv6 address prefix-list 'AS65534-IN'
(continues on next page)

34 Chapter 6. Routing
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


set policy route-map AS65534-IN rule 20 action 'deny'
set policy route-map AS65534-OUT rule 10 action 'deny'
set policy route-map AS65534-OUT rule 10 match ip address prefix-list 'AS65534-OUT'
set policy route-map AS65534-OUT rule 10 match ipv6 address prefix-list 'AS65534-OUT'
set policy route-map AS65534-OUT rule 20 action 'permit'
set protocols bgp 65535 neighbor 2001:db8::1 route-map export 'AS65534-OUT'
set protocols bgp 65535 neighbor 2001:db8::1 route-map import 'AS65534-IN'

We could expand on this and also deny link local and multicast in the rule 20 action deny.

6.5 ARP

To manipulate or display ARP table entries, the following commands are implemented.

6.5.1 adding a static arp entry

set protocols static arp 10.1.1.100 hwaddr 08:00:27:de:23:aa


commit

6.5.2 display arp table entries

show protocols static arp

Address HWtype HWaddress Flags Mask Iface


10.1.1.1 ether 08:00:27:de:23:2e C eth1
10.1.1.100 ether 08:00:27:de:23:aa CM eth1

show protocols static arp interface eth1


Address HWtype HWaddress Flags Mask Iface
10.1.1.1 ether 08:00:27:de:23:2e C eth1
10.1.1.100 ether 08:00:27:de:23:aa CM eth1

6.5. ARP 35
VyOS Documentation, Release 1.2.0-beta

36 Chapter 6. Routing
CHAPTER 7

Policy Routing

VyOS supports Policy Routing, allowing traffic to be assigned to a different routing table. Traffic can be matched
using standard 5-tuple matching (source address, destination address, protocol, source port, destination port).
The following example will show how VyOS can be used to redirect web traffic to an external transparent proxy:

set policy route FILTER-WEB rule 1000 destination port 80


set policy route FILTER-WEB rule 1000 protocol tcp
set policy route FILTER-WEB rule 1000 set table 100

This creates a route policy called FILTER-WEB with one rule to set the routing table for matching traffic (TCP port
80) to table ID 100 instead of the default routing table.
To create routing table 100 and add a new default gateway to be used by traffic matching our route policy:

set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2

This can be confirmed using the show ip route table 100 operational command.
Finally, to apply the policy route to ingress traffic on our LAN interface, we use:

set interfaces ethernet eth1 policy route FILTER-WEB

The route policy functionality in VyOS can also be used to rewrite TCP MSS using the set policy route <name> rule
<rule> set tcp-mss <value> directive, modify DSCP value using set dscp <value>, or mark the traffic with an internal
ID using set mark <value> for further processing (e.g. QOS) on a per-rule basis for matching traffic.
In addition to 5-tuple matching, additional options such as time-based rules, are available. See the built-in help for a
complete list of options.

37
VyOS Documentation, Release 1.2.0-beta

38 Chapter 7. Policy Routing


CHAPTER 8

Firewall

VyOS makes use of Linux [http://netfilter.org/ netfilter] for packet filtering.


The firewall supports the creation of groups for ports, addresses, and networks (implemented using netfilter ipset) and
the option of interface or zone based firewall policy.
Important note on usage of terms: The firewall makes use of the terms in, out, and local for firewall policy. Users
experienced with netfilter often confuse in to be a reference to the INPUT chain, and out the OUTPUT chain from
netfilter. This is not the case. These instead indicate the use of the FORWARD chain and either the input or output
interface. The INPUT chain, which is used for local traffic to the OS, is a reference to as local with respect to its input
interface.

8.1 Zone-based Firewall Policy

As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configu-
ration when multiple interfaces belong to the same security zone. Instead of applying to rulesets to interfaces they are
applied to source zone-destination zone pairs.
An introduction to zone-based firewalls can be found [[A primer to Zone Based Firewall|here]]. For an example see
[[Zone-policy_example|Zone-policy example]].

8.2 Groups

Firewall groups represent collections of IP addresses, networks, or ports. Once created, a group can be referenced by
firewall rules as either a source or destination. Members can be added or removed from a group without changes to or
the need to reload individual firewall rules.

Note: Groups can also be referenced by NAT configuration.

39
VyOS Documentation, Release 1.2.0-beta

While network groups accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If
you foresee the need to add a mix of addresses and networks, the network group is recommended.
Here is an example of a network group for the IP networks that make up the internal network:

set firewall group network-group NET-INSIDE network 192.168.0.0/24


set firewall group network-group NET-INSIDE network 192.168.1.0/24

A port group represents only port numbers, not the protocol. Port groups can be referenced for either TCP or UDP.
It is recommended that TCP and UDP groups are created separately to avoid accidentally filtering unnecessary ports.
Ranges of ports can be specified by using -.
Here is an example of a port group a server:

set firewall group port-group PORT-TCP-SERVER1 port 80


set firewall group port-group PORT-TCP-SERVER1 port 443
set firewall group port-group PORT-TCP-SERVER1 port 5000-5010

8.3 Rule-Sets

A rule-set is a named collection of firewall rules that can be applied to an interface or zone. Each rule is numbered,
has an action to apply if the rule is matched, and the ability to specify the criteria to match.
Example of a rule-set to filter traffic to the internal network:

set firewall name INSIDE-OUT default-action drop


set firewall name INSIDE-OUT rule 1010 action accept
set firewall name INSIDE-OUT rule 1010 state established enable
set firewall name INSIDE-OUT rule 1010 state related enable
set firewall name INSIDE-OUT rule 1020 action drop
set firewall name INSIDE-OUT rule 1020 state invalid enable

8.4 Applying a Rule-Set to an Interface

Once a rule-set is created, it can be applied to an interface.

Note: Only one rule-set can be applied to each interface for in, out, or local traffic for each protocol (IPv4 and IPv6).

set interfaces ethernet eth1 firewall out name INSIDE-OUT

8.5 Applying a Rule-Set to a Zone

A named rule-set can also be applied to a zone relationship (note, zones must first be created):

set zone-policy zone INSIDE from OUTSIDE firewall name INSIDE-OUT

40 Chapter 8. Firewall
VyOS Documentation, Release 1.2.0-beta

8.6 Example Partial Config

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
network-group BAD-NETWORKS {
network 1.2.3.0/24
network 1.2.4.0/24
}
network-group GOOD-NETWORKS {
network 4.5.6.0/24
network 4.5.7.0/24
}
port-group BAD-PORTS {
port 65535
}
}
name FROM-INTERNET {
default-action accept
description "From the Internet"
rule 10 {
action accept
description "Authorized Networks"
protocol all
source {
group {
network-group GOOD-NETWORKS
}
}
}
rule 11 {
action drop
description "Bad Networks"
protocol all
source {
group {
network-group BAD-NETWORKS
}
}
}
rule 30 {
action drop
description "BAD PORTS"
destination {
group {
port-group BAD-PORTS
}
}
log enable
protocol all
}
}
}
interfaces {
ethernet eth1 {
(continues on next page)

8.6. Example Partial Config 41


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


address dhcp
description OUTSIDE
duplex auto
firewall {
in {
name FROM-INTERNET
}
}
}
}

[https://www.xfinity.com/support/internet/list-of-blocked-ports/ XFinity Blocked Port List]

42 Chapter 8. Firewall
CHAPTER 9

NAT

9.1 Source NAT

Source NAT is typically referred to simply as NAT. To be more correct, what most people refer to as NAT is actually
the process of Port Address Translation (PAT), or NAT Overload. The process of having many internal host systems
communicate to the Internet using a single or subset of IP addresses.
To setup SNAT, we need to know: * The internal IP addresses we want to translate * The outgoing interface to perform
the translation on * The external IP address to translate to
In the example used for the Quick Start configuration above, we demonstrate the following configuration:
set nat source rule 100 outbound-interface ‘eth0’ set nat source rule 100 source address ‘192.168.0.0/24’
set nat source rule 100 translation address ‘masquerade’
Which generates the following configuration:

rule 100 {
outbound-interface eth0
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}

In this example, we use masquerade as the translation address instead of an IP address. The masquerade target is
effectively an alias to say “use whatever IP address is on the outgoing interface”, rather than a statically configured IP
address. This is useful if you use DHCP for your outgoing interface and do not know what the external address will
be.
When using NAT for a large number of host systems it recommended that a minimum of 1 IP address is used to
NAT every 256 host systems. This is due to the limit of 65,000 port numbers available for unique translations and a
reserving an average of 200-300 sessions per host system.

43
VyOS Documentation, Release 1.2.0-beta

Example: For an ~8,000 host network a source NAT pool of 32 IP addresses is recommended.
A pool of addresses can be defined by using a - in the set nat source rule [n] translation address statement.
set nat source rule 100 translation address '203.0.113.32-203.0.113.63'

Note: Avoiding “leaky” NAT

Linux netfilter will not NAT traffic marked as INVALID. This often confuses people into thinking that Linux (or
specifically VyOS) has a broken NAT implementation because non-NATed traffic is seen leaving an external interface.
This is actually working as intended, and a packet capture of the “leaky” traffic should reveal that the traffic is either
an additional TCP “RST”, “FIN,ACK”, or “RST,ACK” sent by client systems after Linux netfilter considers the
connection closed. The most common is the additional TCP RST some host implementations send after terminating a
connection (which is implementation- specific).
In other words, connection tracking has already observed the connection be closed and has transition the flow to
INVALID to prevent attacks from attempting to reuse the connection.
You can avoid the “leaky” behavior by using a firewall policy that drops “invalid” state packets.
Having control over the matching of INVALID state traffic, e.g. the ability to selectively log, is an important trou-
bleshooting tool for observing broken protocol behavior. For this reason, VyOS does not globally drop invalid state
traffic, instead allowing the operator to make the determination on how the traffic is handled.

Note: Avoiding NAT breakage in the absence of split-DNS

A typical problem with using NAT and hosting public servers is the ability for internal systems to reach an internal
server using it’s external IP address. The solution to this is usually the use of split-DNS to correctly point host systems
to the internal address when requests are made internally. Because many smaller networks lack DNS infrastructure,
a work-around is commonly deployed to facilitate the traffic by NATing the request from internal hosts to the source
address of the internal interface on the firewall. This technique is commonly reffered to as NAT Reflection, or Hairpin
NAT.
In this example, we will be using the example Quick Start configuration above as a starting point.
To setup a NAT reflection rule, we need to create a rule to NAT connections from the internal network to the same
internal network to use the source address of the internal interface.
set nat source rule 110 description 'NAT Reflection: INSIDE'
set nat source rule 110 destination address '192.168.0.0/24'
set nat source rule 110 outbound-interface 'eth1'
set nat source rule 110 source address '192.168.0.0/24'
set nat source rule 110 translation address 'masquerade'

Which results in a configuration of:


rule 110 {
description "NAT Reflection: INSIDE"
destination {
address 192.168.0.0/24
}
outbound-interface eth1
source {
address 192.168.0.0/24
}
translation {
(continues on next page)

44 Chapter 9. NAT
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


address masquerade
}
}

9.2 Destination NAT

DNAT is typically referred to as a Port Forward. When using VyOS as a NAT router and firewall, a common
configuration task is to redirect incoming traffic to a system behind the firewall.
In this example, we will be using the example Quick Start configuration above as a starting point.
To setup a destination NAT rule we need to gather: * The interface traffic will be coming in on * The protocol and port
we wish to forward * The IP address of the internal system we wish to forward traffic to
In our example, we will be forwarding web server traffic to an internal web server on 192.168.0.100. HTTP traffic
makes use of the TCP protocol on port 80. For other common port numbers, see: http://en.wikipedia.org/wiki/List_
of_TCP_and_UDP_port_numbers
Our configuration commands would be:

set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100'


set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.168.0.100'

Which would generate the following NAT destination configuration:

nat {
destination {
rule 10 {
description "Port Forward: HTTP to 192.168.0.100"
destination {
port 80
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.0.100
}
}
}
}

Note: If forwarding traffic to a different port than it is arriving on, you may also configure the translation port using
set nat destination rule [n] translation port.

This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic.
It is important to note that when creating firewall rules that the DNAT translation occurs before traffic traverses the
firewall. In other words, the destination address has already been translated to 192.168.0.100.
So in our firewall policy, we want to allow traffic coming in on the outside interface, destined for TCP port 80 and the
IP address of 192.168.0.100.

9.2. Destination NAT 45


VyOS Documentation, Release 1.2.0-beta

set firewall name OUTSIDE-IN rule 20 action 'accept'


set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100'
set firewall name OUTSIDE-IN rule 20 destination port '80'
set firewall name OUTSIDE-IN rule 20 protocol 'tcp'
set firewall name OUTSIDE-IN rule 20 state new 'enable'

This would generate the following configuration:

rule 20 {
action accept
destination {
address 192.168.0.100
port 80
}
protocol tcp
state {
new enable
}
}

Note: If you have configured the INSIDE-OUT policy, you will need to add additional rules to permit inbound NAT
traffic.

9.3 1-to-1 NAT

Another term often used for DNAT is 1-to-1 NAT. For a 1-to-1 NAT configuration, both DNAT and SNAT are used to
NAT all traffic from an external IP address to an internal IP address and vice-versa.
Typically, a 1-to-1 NAT rule omits the destination port (all ports) and replaces the protocol with either all or ip.
Then a corresponding SNAT rule is created to NAT outgoing traffic for the internal IP to a reserved external IP. This
dedicates an external IP address to an internal IP address and is useful for protocols which don’t have the notion of
ports, such as GRE.

9.4 1-to-1 NAT example

Here’s an extract of a simple 1-to-1 NAT configuration with one internal and one external interface:

set interfaces ethernet eth0 address '192.168.1.1/24'


set interfaces ethernet eth0 description 'Inside interface'
set interfaces ethernet eth1 address '1.2.3.4/24'
set interfaces ethernet eth1 description 'Outside interface'
set nat destination rule 2000 description '1-to-1 NAT example'
set nat destination rule 2000 destination address '1.2.3.4'
set nat destination rule 2000 inbound-interface 'eth1'
set nat destination rule 2000 translation address '192.168.1.10'
set nat source rule 2000 description '1-to-1 NAT example'
set nat source rule 2000 outbound-interface 'eth1'
set nat source rule 2000 source address '192.168.1.10'
set nat source rule 2000 translation address '1.2.3.4'

46 Chapter 9. NAT
VyOS Documentation, Release 1.2.0-beta

Firewall rules are written as normal, using the internal IP address as the source of outbound rules and the destination
of inbound rules.

9.5 NPTv6 (RFC6296)

NPTv6 stands for Network Prefix Translation. It’s a form of NAT for IPv6. It’s described in RFC6296. NPTv6 is
supported in linux kernel since version 3.13.

9.6 Usage

NPTv6 is very useful for IPv6 multihoming. Let’s assume the following network configuration:
• eth0 : LAN
• eth1 : WAN1, with 2001:db8:e1::/48 routed towards it
• eth2 : WAN2, with 2001:db8:e2::/48 routed towards it
Regarding LAN hosts addressing, why would you choose 2001:db8:e1::/48 over 2001:db8:e2::/48? What happens
when you get a new provider with a different routed IPv6 subnet?
The solution here is to assign to your hosts ULAs and to prefix-translate their address to the right subnet when going
through your router.
• LAN Subnet : fc00:dead:beef::/48
• WAN 1 Subnet : 2001:db8:e1::/48
• WAN 2 Subnet : 2001:db8:e2::/48
• eth0 addr : fc00:dead:beef::1/48
• eth1 addr : 2001:db8:e1::1/48
• eth2 addr : 2001:db8:e2::1/48

9.7 VyOS Support

NPTv6 support has been added in VyOS 1.2 (Crux) and is available through nat nptv6 configuration nodes.

set rule 10 inside-prefix 'fc00:dead:beef::/48'


set rule 10 outside-interface 'eth1'
set rule 10 outside-prefix '2001:db8:e1::/48'
set rule 20 inside-prefix 'fc00:dead:beef::/48'
set rule 20 outside-interface 'eth2'
set rule 20 outside-prefix '2001:db8:e2::/48'

Resulting in the following ip6tables rules:

Chain VYOS_DNPT_HOOK (1 references)


pkts bytes target prot opt in out source destination
0 0 DNPT all eth1 any anywhere 2001:db8:e1::/48 src-
˓→pfx 2001:db8:e1::/48 dst-pfx fc00:dead:beef::/48
0 0 DNPT all eth2 any anywhere 2001:db8:e2::/48 src-
˓→pfx 2001:db8:e2::/48 dst-pfx fc00:dead:beef::/48
(continues on next page)

9.5. NPTv6 (RFC6296) 47


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


0 0 RETURN all any any anywhere anywhere
Chain VYOS_SNPT_HOOK (1 references)
pkts bytes target prot opt in out source destination
0 0 SNPT all any eth1 fc00:dead:beef::/48 anywhere src-
˓→pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e1::/48
0 0 SNPT all any eth2 fc00:dead:beef::/48 anywhere src-
˓→pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48
0 0 RETURN all any any anywhere anywhere

48 Chapter 9. NAT
CHAPTER 10

VPN

10.1 OpenVPN

Traditionally hardware routers implement IPsec exclusively due to relative ease of implementing it in hardware and
insufficient CPU power for doing encryption in software. Since VyOS is a software router, this is less of a concern.
OpenVPN has been widely used on UNIX platform for a long time and is a popular option for remote access VPN,
though it’s also capable of site-to-site connections.
The advantages of OpenVPN are: * It uses a single TCP or UDP connection and does not rely on packet source
addresses, so it will work even through a double NAT: perfect for public hotspots and such
• It’s easy to setup and offers very flexible split tunneling
• There’s a variety of client GUI frontends for any platform
The disadvantages are: * It’s slower than IPsec due to higher protocol overhead and the fact it runs in user mode while
IPsec, on Linux, is in kernel mode
• None of the operating systems have client software installed by default
In the VyOS CLI, a key point often overlooked is that rather than being configured using the set vpn stanza, OpenVPN
is configured as a network interface using set interfaces openvpn.

10.1.1 OpenVPN Site-To-Site

While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due
to lack of support for this mode in many router platforms.
Site-to-site mode supports x.509 but doesn’t require it and can also work with static keys, which is simpler in many
cases. In this example, we’ll configure a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.
First, one one of the systems generate the key using the operational command generate openvpn key <filename>. This
will generate a key with the name provided in the /config/auth/ directory. Once generated, you will need to copy this
key to the remote router.
In our example, we used the filename openvpn-1.key which we will reference in our configuration.

49
VyOS Documentation, Release 1.2.0-beta

• The public IP address of the local side of the VPN will be 198.51.100.10
• The remote will be 203.0.113.11
• The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote.
• OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for
lossy connections; generally UDP is preferred when possible.
• The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN.
• The persistent-tunnel directive will allow us to configure tunnel-related attributes, such as firewall policy as we
would on any normal network interface.
• If known, the IP of the remote router can be configured using the remote-host directive; if unknown, it can be
omitted. We will assume a dynamic IP for our remote router.
Local Configuration:

set interfaces openvpn vtun1 mode site-to-site


set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 local-host '198.51.100.10'
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
set interfaces openvpn vtun1 local-address '10.255.1.1'
set interfaces openvpn vtun1 remote-address '10.255.1.2'

Remote Configuration:

set interfaces openvpn vtun1 mode site-to-site


set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 remote-host '198.51.100.10'
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
set interfaces openvpn vtun1 local-address '10.255.1.2'
set interfaces openvpn vtun1 remote-address '10.255.1.1'

The configurations above will default to using 128-bit Blowfish in CBC mode for encryption and SHA-1 for HMAC
authentication. These are both considered weak, but a number of other encryption and hashing algorithms are available:
For Encryption:

vyos@vyos# set interfaces openvpn vtun1 encryption


Possible completions:
des DES algorithm
3des DES algorithm with triple encryption
bf128 Blowfish algorithm with 128-bit key
bf256 Blowfish algorithm with 256-bit key
aes128 AES algorithm with 128-bit key
aes192 AES algorithm with 192-bit key
aes256 AES algorithm with 256-bit key

For Hashing:

vyos@vyos# set interfaces openvpn vtun1 hash


Possible completions:
(continues on next page)

50 Chapter 10. VPN


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


md5 MD5 algorithm
sha1 SHA-1 algorithm
sha256 SHA-256 algorithm
sha512 SHA-512 algorithm

If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching
configurations, otherwise the tunnel will not come up.
Static routes can be configured referencing the tunnel interface; for example, the local router will use a network of
10.0.0.0/16, while the remote has a network of 10.1.0.0/16:
Local Configuration:

set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1

Remote Configuration:

set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1

Firewall policy can also be applied to the tunnel interface for local, in, and out directions and function identically to
ethernet interfaces.
If making use of multiple tunnels, OpenVPN must have a way to distinguish between different tunnels aside from the
pre-shared-key. This is either by referencing IP address or port number. One option is to dedicate a public IP to each
tunnel. Another option is to dedicate a port number to each tunnel (e.g. 1195,1196,1197. . . ).
OpenVPN status can be verified using the show openvpn operational commands. See the built-in help for a complete
list of options.

10.1.2 OpenVPN Server

Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore
requires a PKI setup. This guide assumes you have already setup a PKI and have a CA certificate, a server certificate
and key, a certificate revokation list, a Diffie-Hellman key exchange parameters file. You do not need client certificates
and keys for the server setup.
In this example we will use the most complicated case: a setup where each client is a router that has its own subnet
(think HQ and branch offices), since simpler setups are subsets of it.
Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints and all client subnets belong to 10.23.0.0/20.
All clients need access to the 192.168.0.0/16 network.
First we need to specify the basic settings. 1194/UDP is the default. The persistent-tunnel option is recommended, it
prevents the TUN/TAP device from closing on connection resets or daemon reloads.

set interfaces openvpn vtun10 mode server


set interfaces openvpn vtun10 local-port 1194
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol udp

Then we need to specify the location of the cryptographic materials. Suppose you keep the files in /config/auth/openvpn

set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt


set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt
set interfaces openvpn vtun10 tls key-file /config/auth/openvpn/server.key
set interfaces openvpn vtun10 tls crl-file /config/auth/openvpn/crl.pem
set interfaces openvpn vtun10 tls dh-file /config/auth/openvpn/dh2048.pem

10.1. OpenVPN 51
VyOS Documentation, Release 1.2.0-beta

Now we need to specify the server network settings. In all cases we need to specify the subnet for client tunnel
endpoints. Since we want clients to access a specific network behind out router, we will use a push-route option for
installing that route on clients.

set interfaces openvpn vtun10 server push-route 192.168.0.0/16


set interfaces openvpn vtun10 server subnet 10.23.1.0/24

Since it’s a HQ and branch offices setup, we will want all clients to have fixed addresses and we will route traffic to
specific subnets through them. We need configuration for each client to achieve this.

Note: Clients are identified by the CN field of their x.509 certificates, in this example the CN is client0:

set interfaces openvpn vtun10 server client client0 ip 10.23.1.10


set interfaces openvpn vtun10 server client client0 subnet 10.23.2.0/25

OpenVPN will not automatically create routes in the kernel for client subnets when they connect and will only use
client-subnet association internally, so we need to create a route to the 10.23.0.0/20 network ourselves:

set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10

10.2 L2TP over IPsec

Example for configuring a simple L2TP over IPsec VPN for remote access (works with native Windows and Mac VPN
clients):

set vpn ipsec ipsec-interfaces interface eth0


set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn l2tp remote-access outside-address 203.0.113.2


set vpn l2tp remote-access client-ip-pool start 192.168.255.1
set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username <username> password
˓→<password>

In the example above an external IP of 203.0.113.2 is assumed.


If a local firewall policy is in place on your external interface you will need to open:
• UDP port 500 (IKE)
• IP protocol number 50 (ESP)
• UDP port 1701 for IPsec
In addition when NAT is detected by the VPN client ESP is encapsulated in UDP for NAT-traversal:
• UDP port 4500 (NAT-T)
Example:

52 Chapter 10. VPN


VyOS Documentation, Release 1.2.0-beta

set firewall name OUTSIDE-LOCAL rule 40 action 'accept'


set firewall name OUTSIDE-LOCAL rule 40 destination port '50'
set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp'
set firewall name OUTSIDE-LOCAL rule 41 action 'accept'
set firewall name OUTSIDE-LOCAL rule 41 destination port '500'
set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 42 action 'accept'
set firewall name OUTSIDE-LOCAL rule 42 destination port '4500'
set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 43 action 'accept'
set firewall name OUTSIDE-LOCAL rule 43 destination port '1701'
set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec'
set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'

Also note that if you wish to allow the VPN to be used for external access you will need to add the appropriate source
NAT rules to your configuration.

set nat source rule 110 outbound-interface 'eth0'


set nat source rule 110 source address '192.168.255.0/24'
set nat source rule 110 translation address masquerade

To be able to resolve when connected to the VPN, the following DNS rules are needed as well.

set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'


set vpn l2tp remote-access dns-servers server-2 '8.8.4.4'

Note: Those are the Google public DNS servers. You can also use the public available servers from Quad9 (9.9.9.9)
or Cloudflare (1.1.1.1).

Established sessions can be viewed using the show vpn remote-access operational command.

vyos@vyos:~$ show vpn remote-access


Active remote access VPN sessions:
User Proto Iface Tunnel IP TX byte RX byte Time
---- ----- ----- --------- ------- ------- ----
vyos L2TP l2tp0 192.168.255.1 3.2K 8.0K 00h06m13s

10.2.1 RADIUS authentication

The above configuration made use of local accounts on the VyOS router for authenticating L2TP/IPSec clients. In
bigger environments usually something like RADIUS (FreeRADIUS or Microsoft Network Policy Server, NPS) is
used.
VyOS supports either local or radius user authentication:

set vpn l2tp remote-access authentication mode <local|radius>

In addition one or more RADIUS servers can be configured to server for user authentication. This is done using the
radius server and radius server key nodes:

set vpn l2tp remote-access authentication radius server 1.1.1.1 key 'foo'
set vpn l2tp remote-access authentication radius server 2.2.2.2 key 'foo'

10.2. L2TP over IPsec 53


VyOS Documentation, Release 1.2.0-beta

Note: Some RADIUS severs make use of an access control list who is allowed to query the server. Please configure
your VyOS router in the allowed client list.

RADIUS source address

If you are using e.g. OSPF as IGP always the nearest interface facing the RADIUS server is used. With VyOS 1.2 you
can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface.

set vpn l2tp remote-access authentication radius source-address 3.3.3.3

Above command will use 3.3.3.3 as source IPv4 address for all RADIUS queries on this NAS.

10.3 Site-to-Site IPsec

Example: * eth1 is WAN interface * left subnet: 192.168.0.0/24 #s ite1, server side (i.e. locality, actually there is no
client or server roles) * left local_ip: 1.1.1.1 # server side WAN IP * right subnet: 10.0.0.0/24 # site2,remote office
side * right local_ip: 2.2.2.2 # remote office side WAN IP

# server config
set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret
˓→'SomePreSharedKey'

set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'office-srv-ike'


set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 remote prefix '10.0.0.0/21'

# remote office config


set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
(continues on next page)

54 Chapter 10. VPN


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret
˓→'SomePreSharedKey'

set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'office-srv-ike'


set vpn ipsec site-to-site peer 1.1.1.1 local-address '2.2.2.2'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 local prefix '10.0.0.0/21'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 remote prefix '192.168.0.0/24'

Show status of new setup:

vyos@srv-gw0:~$ show vpn ike sa


Peer ID / IP Local ID / IP
------------ -------------
2.2.2.2 1.1.1.1
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1 5 no 734 3600

vyos@srv-gw0:~$ show vpn ipsec sa


Peer ID / IP Local ID / IP
------------ -------------
2.2.2.2 1.1.1.1
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 up 7.5M/230.6K aes256 sha1 no 567 1800 all

If there is SNAT rules on eth1, need to add exclude rule

# server side
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 source address '192.168.0.0/24'

# remote office side


set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 source address '10.0.0.0/24'

To allow traffic to pass through to clients, you need to add the following rules. (if you used the default configuration
at the top of this page)

# server side
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'

# remote office side


set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'

10.3. Site-to-Site IPsec 55


VyOS Documentation, Release 1.2.0-beta

10.4 DMVPN

D ynamic M ultipoint V irtual P rivate N etworking


DMVPN is a dynamic VPN technology originally developed by Cisco. While their implementation was somewhat
proprietary, the underlying technologies are actually standards based. The three technologies are:
• NHRP - NBMA Next Hop Resolution Protocol RFC2332
• mGRE - Multipoint Generic Routing Encapsulation / mGRE RFC1702
• IPSec - IP Security (too many RFCs to list, but start with RFC4301)
NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint registration, and endpoint discov-
ery/lookup), mGRE provides the tunnel encapsulation itself, and the IPSec protocols handle the key exchange, and
crypto mechanism.
In short, DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure
(static) all possible tunnel end-point peers.

Note: DMVPN only automates the tunnel endpoint discovery and setup. A complete solution also incorporates the
use of a routing protocol. BGP is particularly well suited for use with DMVPN.

Baseline Configuration:
STEPS:
1. Create tunnel config (interfaces tunnel)
2. Create nhrp (protocols nhrp)
3. Create ipsec vpn (optional, but recommended for security) (vpn ipsec)
The tunnel will be set to mGRE if for encapsulation gre is set, and no remote-ip is set. If the public ip is provided by
DHCP the tunnel local-ip can be set to “0.0.0.0”

Fig. 1: Baseline DMVPN topology

10.4.1 HUB Configuration

interfaces
tunnel <tunN> {
address <ipv4>
encapsulation gre
(continues on next page)

56 Chapter 10. VPN


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


local-ip <public ip>
multicast enable
description <txt>
parameters {
ip {
<usual IP options>
}
}
}
}
protocols {
nhrp {
tunnel <tunN> {
cisco-authentication <key phrase>
holding-time <seconds>
multicast dynamic
redirect
}
}
}
vpn {
ipsec {
esp-group <text> {
lifetime <30-86400>
mode tunnel
pfs enable
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption 3des
hash md5
}
}
ike-group <text> {
key-exchange ikev1
lifetime <30-86400>
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface <ethN>
}
profile <text> {
authentication {
mode pre-shared-secret
pre-shared-secret <key phrase>
}
bind {
tunnel <tunN>
(continues on next page)

10.4. DMVPN 57
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


}
esp-group <text>
ike-group <text>
}
}
}

HUB Example Configuration:


set interfaces ethernet eth0 address '1.1.1.1/30'
set interfaces ethernet eth1 address '192.168.1.1/24'
set system host-name 'HUB'

set interfaces tunnel tun0 address 10.0.0.1/24


set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 1.1.1.1
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1

set protocols nhrp tunnel tun0 cisco-authentication SECRET


set protocols nhrp tunnel tun0 holding-time 300
set protocols nhrp tunnel tun0 multicast dynamic
set protocols nhrp tunnel tun0 redirect

set vpn ipsec ipsec-interfaces interface eth0


set vpn ipsec ike-group IKE-HUB proposal 1
set vpn ipsec ike-group IKE-HUB proposal 1 encryption aes256
set vpn ipsec ike-group IKE-HUB proposal 1 hash sha1
set vpn ipsec ike-group IKE-HUB proposal 2 encryption aes128
set vpn ipsec ike-group IKE-HUB proposal 2 hash sha1
set vpn ipsec ike-group IKE-HUB lifetime 3600
set vpn ipsec esp-group ESP-HUB proposal 1 encryption aes256
set vpn ipsec esp-group ESP-HUB proposal 1 hash sha1
set vpn ipsec esp-group ESP-HUB proposal 2 encryption 3des
set vpn ipsec esp-group ESP-HUB proposal 2 hash md5
set vpn ipsec esp-group ESP-HUB lifetime 1800
set vpn ipsec esp-group ESP-HUB pfs dh-group2

set vpn ipsec profile NHRPVPN


set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
set vpn ipsec profile NHRPVPN bind tunnel tun0
set vpn ipsec profile NHRPVPN esp-group ESP-HUB
set vpn ipsec profile NHRPVPN ike-group IKE-HUB

set protocols static route 0.0.0.0/0 next-hop 1.1.1.2


set protocols static route 192.168.2.0/24 next-hop 10.0.0.2
set protocols static route 192.168.3.0/24 next-hop 10.0.0.3

10.4.2 SPOKE Configuration

SPOKE1 Configuration:
interfaces
tunnel <tunN> {
(continues on next page)

58 Chapter 10. VPN


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


address <ipv4>
encapsulation gre
local-ip <public ip>
multicast enable
description <txt>
parameters {
ip {
<usual IP options>
}
}
}
}
protocols {
nhrp {
tunnel <tunN> {
cisco-authentication <key phrase>
map <ipv4/net> {
nbma-address <ipv4>
register
}
holding-time <seconds>
multicast nhs
redirect
shortcut
}
}
}
vpn {
ipsec {
esp-group <text> {
lifetime <30-86400>
mode tunnel
pfs enable
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption 3des
hash md5
}
}
ike-group <text> {
key-exchange ikev1
lifetime <30-86400>
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface <ethN>
}
(continues on next page)

10.4. DMVPN 59
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


profile <text> {
authentication {
mode pre-shared-secret
pre-shared-secret <key phrase>
}
bind {
tunnel <tunN>
}
esp-group <text>
ike-group <text>
}
}
}

SPOKE1 Example Configuration

set interfaces ethernet eth0 address 'dhcp'


set interfaces ethernet eth1 address '192.168.2.1/24'
set system host-name 'SPOKE1'

set interfaces tunnel tun0 address 10.0.0.2/24


set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 0.0.0.0
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1

set protocols nhrp tunnel tun0 cisco-authentication 'SECRET'


set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 1.1.1.1
set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register'
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 'redirect'
set protocols nhrp tunnel tun0 'shortcut'

set vpn ipsec ipsec-interfaces interface eth0


set vpn ipsec ike-group IKE-SPOKE proposal 1
set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1
set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128
set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1
set vpn ipsec ike-group IKE-SPOKE lifetime 3600
set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256
set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1
set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des
set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5
set vpn ipsec esp-group ESP-SPOKE lifetime 1800
set vpn ipsec esp-group ESP-SPOKE pfs dh-group2

set vpn ipsec profile NHRPVPN


set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
set vpn ipsec profile NHRPVPN bind tunnel tun0
set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE
set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE

set protocols static route 192.168.1.0/24 next-hop 10.0.0.1


set protocols static route 192.168.3.0/24 next-hop 10.0.0.3

60 Chapter 10. VPN


VyOS Documentation, Release 1.2.0-beta

SPOKE2 Configuration

interfaces
tunnel <tunN> {
address <ipv4>
encapsulation gre
local-ip <public ip>
multicast enable
description <txt>
parameters {
ip {
<usual IP options>
}
}
}
}
protocols {
nhrp {
tunnel <tunN> {
cisco-authentication <key phrase>
map <ipv4/net> {
nbma-address <ipv4>
register
}
holding-time <seconds>
multicast nhs
redirect
shortcut
}
}
}
vpn {
ipsec {
esp-group <text> {
lifetime <30-86400>
mode tunnel
pfs enable
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption 3des
hash md5
}
}
ike-group <text> {
key-exchange ikev1
lifetime <30-86400>
proposal <1-65535> {
encryption aes256
hash sha1
}
proposal <1-65535> {
encryption aes128
hash sha1
}
}
(continues on next page)

10.4. DMVPN 61
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


ipsec-interfaces {
interface <ethN>
}
profile <text> {
authentication {
mode pre-shared-secret
pre-shared-secret <key phrase>
}
bind {
tunnel <tunN>
}
esp-group <text>
ike-group <text>
}
}
}

SPOKE2 Example Configuration


set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '192.168.3.1/24'
set system host-name 'SPOKE2'

set interfaces tunnel tun0 address 10.0.0.3/24


set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 0.0.0.0
set interfaces tunnel tun0 multicast enable
set interfaces tunnel tun0 parameters ip key 1

set protocols nhrp tunnel tun0 cisco-authentication SECRET


set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 1.1.1.1
set protocols nhrp tunnel tun0 map 10.0.0.1/24 register
set protocols nhrp tunnel tun0 multicast nhs
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut

set vpn ipsec ipsec-interfaces interface eth0


set vpn ipsec ike-group IKE-SPOKE proposal 1
set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256
set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1
set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128
set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1
set vpn ipsec ike-group IKE-SPOKE lifetime 3600
set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256
set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1
set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des
set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5
set vpn ipsec esp-group ESP-SPOKE lifetime 1800
set vpn ipsec esp-group ESP-SPOKE pfs dh-group2

set vpn ipsec profile NHRPVPN


set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
set vpn ipsec profile NHRPVPN bind tunnel tun0
set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE
set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE

(continues on next page)

62 Chapter 10. VPN


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


set protocols static route 192.168.1.0/24 next-hop 10.0.0.1
set protocols static route 192.168.2.0/24 next-hop 10.0.0.2

10.5 PPTP-Server

The Point-to-Point Tunneling Protocol (PPTP) has been implemented in VyOS only for backwards compatibility.
PPTP has many well known secrurity issues and you should use one of the many other new VPN implementations.
As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless)
for encryption. If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being
used. For instance, in the example below it would be 192.168.0.1.

10.5.1 server example

set vpn pptp remote-access authentication local-users username test password 'test'
set vpn pptp remote-access authentication mode 'local'
set vpn pptp remote-access client-ip-pool start '192.168.0.10'
set vpn pptp remote-access client-ip-pool stop '192.168.0.15'
set vpn pptp remote-access gateway-address '10.100.100.1'
set vpn pptp remote-access outside-address '10.1.1.120'

10.5.2 client example (debian 9)

Install the client software via apt and execute pptpsetup to generate the configuration.

apt-get install pptp-linux


pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --
˓→encrypt

pon TESTTUNNEL

The command pon TESTUNNEL establishes the PPTP tunnel to the remote system.
All tunnel sessions can be checked via:

run sh pptp-server sessions


ifname | username | calling-sid | ip | type | comp | state | uptime
--------+----------+-------------+--------------+------+------+--------+----------
ppp0 | test | 10.1.1.99 | 192.168.0.10 | pptp | mppe | active | 00:00:58

10.6 WireGuard VPN Interface

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. See https:
//www.wireguard.com for more information.

10.6.1 Configuration

Generate the keypair, which creates a public and private part and stores it within VyOS.

10.5. PPTP-Server 63
VyOS Documentation, Release 1.2.0-beta

wg01:~$ configure
wg01# run generate wireguard keypair

The public key is being shared with your peer(s), your peer will encrypt all traffic to your system using this public key.

wg01# run show wireguard pubkey


u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=

The next step is to configure your local side as well as the policy based trusted destination addresses. If you only
initiate a connection, the listen port and endpoint is optional, if you however act as a server and endpoints initiate the
connections to your system, you need to define a port your clients can connect to, otherwise it’s randomly chosen and
may make it difficult with firewall rules, since the port may be a different one when you reboot your system.
You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure
a wireguard tunnel. The public key below is always the public key from your peer, not your local one.
local side

set interfaces wireguard wg01 address '10.1.0.1/24'


set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24'
set interfaces wireguard wg01 peer to-wg02 endpoint '192.168.0.142:12345'
set interfaces wireguard wg01 peer to-wg02 pubkey
˓→'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='

set interfaces wireguard wg01 port '12345'


set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01

The last step is to define an interface route for 10.2.0.0/24 to get through the wireguard interface wg01. Multiple IPs
or networks can be defined and routed, the last check is allowed-ips which either prevents or allows the traffic.
remote side

set interfaces wireguard wg01 address '10.2.0.1/24'


set interfaces wireguard wg01 description 'VPN-to-wg01'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24'
set interfaces wireguard wg01 peer to-wg02 endpoint '192.168.0.124:12345'
set interfaces wireguard wg01 peer to-wg02 pubkey
˓→'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='

set interfaces wireguard wg01 port '12345'


set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01

Assure that your firewall rules allow the traffic, in which case you have a working VPN using wireguard.

wg01# ping 10.2.0.1


PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms
64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms

wg02# ping 10.1.0.1


PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms
64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms

An additional layer of symmetric-key crypto can be used on top of the asymmetric crypto, which is optional.

wg01# run generate wireguard preshared-key


rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=

64 Chapter 10. VPN


VyOS Documentation, Release 1.2.0-beta

Copy the key, it is not stored on the local file system. Make sure you distribute that key in a safe manner, it’s a
symmatric key, so only you and your peer should have knowledge if its content.

wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key


˓→'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='

wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key


˓→'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='

operational commands

vyos@wg01# show interfaces wireguard wg01

interface: wg01
public key: xHvgSJC8RTClfvjc0oX6OALxU6GGLapjthjw7x82CSw=
private key: (hidden)
listening port: 12345

peer: 9Ek3R30mG6Vk+GHsENtPF0b9Ul+ftxx4dDBa1bdBxX8=
endpoint: 192.168.0.142:12345
allowed ips: 10.2.0.0/24
latest handshake: 4 minutes, 22 seconds ago
transfer: 860 B received, 948 B sent

10.6. WireGuard VPN Interface 65


VyOS Documentation, Release 1.2.0-beta

66 Chapter 10. VPN


CHAPTER 11

QoS and Traffic Policy

VyOS uses tc as backend for QoS. VyOS provides its users with configuration nodes for the following shap-
ing/queueing/policing disciplines:
• HTB
• HFSC
• SFQ
• pfifo
• network-emulator
• PRIO
• GRED
• TBF
• DRR

11.1 Configuration nodes

VyOS QoS configuration is done in two steps. The first one consists in setting up your classes/queues and traffic filters
to distribute traffic amongst them. The second step is to apply such traffic policy to an interface ingress or egress.

11.1.1 Creating a traffic policy

Such configuration takes place under the traffic-policy tree.


Available subtrees :

67
VyOS Documentation, Release 1.2.0-beta

set traffic-policy drop-tail NAME


set traffic-policy fair-queue NAME
set traffic-policy limiter NAME
set traffic-policy network-emulator NAME
set traffic-policy priority-queue NAME
set traffic-policy random-detect NAME
set traffic-policy rate-control NAME
set traffic-policy round-robin NAME
set traffic-policy shaper NAME
set traffic-policy shaper-hfsc NAME

11.1.2 Apply traffic policy to an interface

Once a traffic-policy is created, you can apply it to an interface :


set interfaces ethernet eth0 traffic-policy in WAN-IN
set interfaces etherhet eth0 traffic-policy out WAN-OUT

11.1.3 A Real-World Example

This policy sets download and upload bandwidth maximums (roughly 90% of the speeds possible), then divvies up
the traffic into buckets of importance, giving guaranteed bandwidth chunks to types of traffic that are necessary for
general interactive internet use, like web browsing, streaming, or gaming.
After identifying and prioritizing that traffic, it drops the remaining traffic into a general-priority bucket, which it gives
a lower priority than what is required for real-time use. If there is no real-time traffic that needs the bandwidth, the
lower-priority traffic can use most of the connection. This ensures that the connection can be used fully by whatever
wants it, without suffocating real-time traffic or throttling background traffic too much.
set traffic-policy shaper download bandwidth '175mbit'
set traffic-policy shaper download class 10 bandwidth '10%'
set traffic-policy shaper download class 10 burst '15k'
set traffic-policy shaper download class 10 ceiling '100%'
set traffic-policy shaper download class 10 match dns ip source port '53'
set traffic-policy shaper download class 10 match icmp ip protocol 'icmp'
set traffic-policy shaper download class 10 match ssh ip source port '22'
set traffic-policy shaper download class 10 priority '5'
set traffic-policy shaper download class 10 queue-type 'fair-queue'
set traffic-policy shaper download class 20 bandwidth '10%'
set traffic-policy shaper download class 20 burst '15k'
set traffic-policy shaper download class 20 ceiling '100%'
set traffic-policy shaper download class 20 match http ip source port '80'
set traffic-policy shaper download class 20 match https ip source port '443'
set traffic-policy shaper download class 20 priority '4'
set traffic-policy shaper download class 20 queue-type 'fair-queue'
set traffic-policy shaper download default bandwidth '70%'
set traffic-policy shaper download default burst '15k'
set traffic-policy shaper download default ceiling '100%'
set traffic-policy shaper download default priority '3'
set traffic-policy shaper download default queue-type 'fair-queue'
set traffic-policy shaper upload bandwidth '18mbit'
set traffic-policy shaper upload class 2 bandwidth '10%'
set traffic-policy shaper upload class 2 burst '15k'
set traffic-policy shaper upload class 2 ceiling '100%'
(continues on next page)

68 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


set traffic-policy shaper upload class 2 match ack ip tcp ack
set traffic-policy shaper upload class 2 match dns ip destination port '53'
set traffic-policy shaper upload class 2 match icmp ip protocol 'icmp'
set traffic-policy shaper upload class 2 match ssh ip destination port '22'
set traffic-policy shaper upload class 2 match syn ip tcp syn
set traffic-policy shaper upload class 2 priority '5'
set traffic-policy shaper upload class 2 queue-limit '16'
set traffic-policy shaper upload class 2 queue-type 'fair-queue'
set traffic-policy shaper upload class 5 bandwidth '10%'
set traffic-policy shaper upload class 5 burst '15k'
set traffic-policy shaper upload class 5 ceiling '100%'
set traffic-policy shaper upload class 5 match http ip destination port '80'
set traffic-policy shaper upload class 5 match https ip destination port '443'
set traffic-policy shaper upload class 5 priority '4'
set traffic-policy shaper upload class 5 queue-type 'fair-queue'
set traffic-policy shaper upload default bandwidth '60%'
set traffic-policy shaper upload default burst '15k'
set traffic-policy shaper upload default ceiling '100%'
set traffic-policy shaper upload default priority '3'
set traffic-policy shaper upload default queue-type 'fair-queue'

11.2 Traffic policies in VyOS

An overview of QoS traffic policies supported by VyOS.

11.2.1 Drop-tail (FIFO)

A packet queuing mechanism on a FIFO (First In, First Out) basis; packets are sent out in the same order as they
arrive. The queue has a defined length, packets arriving after the queue is filled up will be dropped (hence the name
drop tail, the “tail” of the queue will be dropped). With this policy in place, all traffic is treated equally and put into a
single queue. Applicable to outbound traffic only.
Available commands:
• Define a drop-tail policy (unique name, exclusive to this policy):
set traffic-policy drop-tail <policy name>
• Add a description:
set traffic-policy drop-tail <policy name> description <description>
• Set the queue length limit (max. number of packets in queue), range 0. . . 4294967295 packets:
set traffic-policy drop-tail <policy name> queue-limit <limit>

11.2.2 Fair queue (SFQ)

Fair queue is a packet queuing mechanism that separates traffic flows based on their source/destination IP addresses
and/or source port and places them into buckets. Bandwidth is allocated fairly between buckets based on the Stochastic
airness Queuing algorithm. Applicable to outbound traffic only.
Available commands:

11.2. Traffic policies in VyOS 69


VyOS Documentation, Release 1.2.0-beta

• Define a fair queue policy:


set traffic-policy fair-queue <policy name>
• Add a description:
set traffic-policy fair-queue <policy name> description <description>
• Set hash update interval; the algorithm used is stochastic and thus not ‘truly’ fair, hash collisions can occur, in
which case traffic flows may be put into the same bucket. To mitigate this, the hashes can be updated at a set
interval, Range 0. . . 4294967295 seconds:
set traffic-policy fair-queue <policy name> hash-interval <seconds>
• Set the queue-limit (max. number of packets in queue), range 0. . . 4294967295 packets, default 127:
set traffic-policy fair-queue <policy name> queue-limit <limit>

11.2.3 Limiter

The limiter performs ingress policing of traffic flows. Multiple classes of traffic can be defined and traffic limits can be
applied to each class. Traffic exceeding the defined bandwidth limits is dropped. Applicable to inbound traffic only.
Available commands:
• Define a traffic limiter policy: set traffic-policy limiter <policy-name>
• Add a description: set traffic-policy limiter <policy-name> description
<description>

Traffic classes

• Define a traffic class for a limiter policy, range for class ID is 1. . . 4095:
set traffic-policy limiter <policy-name> class <class ID>
• Add a class description:
set traffic-policy limiter <policy-name> class <class ID> description
<description>
• Specify a bandwidth limit for a class, in kbit/s:
set traffic-policy limiter <policy-name> class <class ID> bandwidth
<rate>.
Available suffixes:
• kbit (kilobits per second, default)
• mbit (megabits per second)
• gbit (gigabits per second)
• kbps (kilobytes per second)
• mbps (megabytes per second)
• gbps (gigabytes per second)
• Set a burst size for a class, the maximum amount of traffic that can be sent, in bytes:
set traffic-policy limiter <policy-name> class <class ID> burst
<burst-size>.

70 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

Available suffixes:
• kb (kilobytes)
• mb (megabytes)
• gb (gigabytes)

Default class

• Define a default class for a limiter policy that applies to traffic not matching any other classes for this policy:
set traffic-policy limiter <policy name> default
• Specify a bandwidth limit for the default class, in kbit/s:
set traffic-policy limiter <policy name> default bandwidth <rate>.
Available suffixes:
• kbit (kilobits per second, default)
• mbit (megabits per second)
• gbit (gigabits per second)
• kbps (kilobytes per second)
• mbps (megabytes per second)
• gbps (gigabytes per second)
• Set a burst size for the default class, the maximum amount of traffic that can be sent, in bytes:
set traffic-policy limiter <policy-name> default burst <burst-size>.
Available suffixes:
• kb (kilobytes)
• mb (megabytes)
• gb (gigabytes)
• Specify the priority of the default class to set the order in which the rules are evaluated, the higher the number
the lower the priority, range 0. . . 20 (default 20):
set traffic-policy limiter <policy name> default priority <priority>

Matching rules

• Define a traffic class matching rule:


set traffic-policy limiter <policy name> class <class ID> match <match
name>
• Add a description:
set traffic-policy limiter <policy name> class <class ID> match <match
name> description <description>
• Specify the priority of a matching rule to set the order in which the rules are evaluated, the higher the number
the lower the priority, range 0. . . 20 (default 20):

11.2. Traffic policies in VyOS 71


VyOS Documentation, Release 1.2.0-beta

set traffic-policy limiter <policy name> class <class ID> priority


<priority>
• Specify a match criterion based on a destination MAC address (format: xx:xx:xx:xx:xx:xx):
set traffic-policy limiter <policy name> class <class ID> match <match
name> ether destination <MAC address>
• Specify a match criterion based on a source MAC address (format: xx:xx:xx:xx:xx:xx):
set traffic-policy limiter <policy name> class <class ID> match <match
name> ether source <MAC address>
• Specify a match criterion based on packet type/protocol, range 0. . . 65535:
set traffic-policy limiter <policy name> class <class ID> match <match
name> ether protocol <number>
• Specify a match criterion based on the fwmark field, range 0. . . .4294967295:
set traffic-policy limiter <policy name> class <class ID> match <match
name> mark <fwmark>
• Specify a match criterion based on VLAN ID, range 1. . . 4096:
set traffic-policy limiter <policy name> class <class ID> match <match
name> vif <VLAN ID>
IPv4
• Specify a match criterion based on destination IPv4 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy limiter <policy name> class <class ID> match <match
name> ip destination <IPv4 address|port>
• Specify a match criterion based on source IPv4 address and/or port, port may be specified as number or service
name (i.e. ssh):
set traffic-policy limiter <policy name> class <class ID> match <match
name> ip source <IPv4 address|port>
• Specify a match criterion based on DSCP (Differentiated Services Code Point) value, DSCP value may be
specified as decimal or hexadecimal number:
set traffic-policy limiter <policy name> class <class ID> match <match
name> ip dscp <DSCP value>
• Specify a match criterion based on IPv4 protocol, protocol may be specified by name (i.e. icmp) or IANA-
assigned number:
set traffic-policy limiter <policy name> class <class ID> match <match
name> ip protocol <proto>
IPv6
• Specify a match criterion based on destination IPv6 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy limiter <policy name> class <class ID> match <match
name> ipv6 destination <IPv6 address|port>
• Specify a match criterion based on source IPv6 address and/or port, port may be specified as number or
service name (i.e. ssh):

72 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

set traffic-policy limiter <policy name> class <class ID> match <match
name> ipv6 source <IPv6 address|port>
• Specify a match criterion based on DSCP (Differentiated Services Code Point) value, DSCP value may be
specified as decimal or hexadecimal number:
set traffic-policy limiter <policy name> class <class ID> match <match
name> ipv6 dscp <DSCP value>
• Specify a match criterion based on IPv6 protocol, protocol may be specified by name (i.e. icmp) or IANA-
assigned number:
set traffic-policy limiter <policy name> class <class ID> match <match
name> ipv6 protocol <proto>

11.2.4 Network emulator

The network emulator policy emulates WAN traffic, which is useful for testing purposes. Applicable to outbound
traffic only.
Available commands:
• Define a network emulator policy:
set traffic-policy network-emulator <policy name>
• Add a description:
set traffic-policy network-emulator <policy name> description
<description>
• Specify a bandwidth limit in kbit/s:
set traffic-policy network-emulator <policy name> bandwidth <rate>
Available suffixes:
• kbit (kilobits per second, default)
• mbit (megabits per second)
• gbit (gigabits per second)
• kbps (kilobytes per second)
• mbps (megabytes per second)
• gbps (gigabytes per second)
• Set a burst size, the maximum amount of traffic that can be sent, in bytes:
set traffic-policy network-emulator <policy name> burst <burst size>
Available suffixes:
• kb (kilobytes)
• mb (megabytes)
• gb (gigabytes)
• Define a delay between packets:
set traffic-policy network-emulator <policy name> network-delay <delay>
Available suffixes:

11.2. Traffic policies in VyOS 73


VyOS Documentation, Release 1.2.0-beta

• secs (seconds)
• ms (milliseconds, default)
• us (microseconds)
• Set a percentage of corrupted of packets (one bit flip, unchanged checksum):
set traffic-policy network-emulator <policy name> packet-corruption
<percent>
• Set a percentage of random packet loss:
set traffic-policy network-emulator <policy name> packet-loss <percent>
• Set a percentage of packets for random reordering:
set traffic-policy network-emulator <policy name> packet-reordering
<percent>
• Set a queue length limit in packets, range 0. . . 4294967295, default 127:
set traffic-policy network-emulator <policy name> queue-limit <limit>

11.2.5 Priority queue

Up to seven queues with differing priorities can be defined, packets are placed into queues based on associated match
criteria. Packets are transmitted from the queues in priority order. If queues with a higher order are being filled with
packets continuously, packets from lower priority queues will only be transmitted after traffic volume from higher
priority queues decreases.
Available commands:
• Define a priority queue:
set traffic-policy priority-queue <policy name>
• Add a description:
set traffic-policy priority-queue <policy name> description <description>

Traffic classes

• Define a traffic class, each class is a separate queue, range for class ID is 1. . . 7, while 1 being the lowest priority:
set traffic-policy priority-queue <policy name> class <class ID>
• Add a class description:
set traffic-policy priority-queue <policy name> class <class ID>
description <description>
• Set a queue length limit in packets, default 1000:
set traffic-policy priority-queue <policy name> class <class ID>
queue-limit <limit>
• Specify a queue type for a traffic class, available queue types:
• drop-tail
• fair-queue
• random-detect

74 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

set traffic-policy priority-queue <policy name> class <class


ID> queue-type <type>

Default class

• Define a default priority queue:


set traffic-policy priority-queue <policy name> default
• Define a maximum queue length for the default traffic class in packets:
set traffic-policy priority-queue <policy name> default queue-limit
<limit>
• Specify the queuing type for the default traffic class, available queue types:
• drop-tail
• fair-queue
• random-detect
set traffic-policy priority-queue <policy name> default
queue-type <type>

Matching rules

• Define a class matching rule:


set traffic-policy priority-queue <policy name> class <class ID> match
<match name>
• Add a match rule description:
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> description <description>
• Specify a match criterion based on a destination MAC address (format: xx:xx:xx:xx:xx:xx):
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ether destination <MAC address>
• Specify a match criterion based on a source MAC address (format: xx:xx:xx:xx:xx:xx):
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ether source <MAC address>
• Specify a match criterion based on packet type/protocol, range 0. . . 65535:
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ether protocol <number>
• Specify a match criterion based on ingress interface:
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> interface <interface>
• Specify a match criterion based on the fwmark field, range 0. . . .4294967295:
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> mark <fwmark>

11.2. Traffic policies in VyOS 75


VyOS Documentation, Release 1.2.0-beta

• Specify a match criterion based on VLAN ID, range 1. . . 4096:


set traffic-policy priority-queue <policy name> class <class ID> match
<match name> vif <VLAN ID>
IPv4
• Specify a match criterion based on destination IPv4 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ip destination <IPv4 address|port>
• Specify a match criterion based on source IPv4 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ip source <IPv4 address|port>
• Specify a match criterion based on DSCP (Differentiated Services Code Point) value, DSCP value may be
specified as decimal or hexadecimal number:
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ip dscp <DSCP value>
• Specify a match criterion based on IPv4 protocol, protocol may be specified by name (i.e. icmp) or IANA-
assigned number:
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ip protocol <proto>
IPv6
• Specify a match criterion based on destination IPv6 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ipv6 destination <IPv6 address|port>
• Specify a match criterion based on source IPv6 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ipv6 source <IPv6 address|port>
• Specify a match criterion based on DSCP (Differentiated Services Code Point) value, DSCP value may be
specified as decimal or hexadecimal number:
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ipv6 dscp <DSCP value>
• Specify a match criterion based on IPv6 protocol, protocol may be specified by name (i.e. icmp) or IANA-
assigned number:
set traffic-policy priority-queue <policy name> class <class ID> match
<match name> ipv6 protocol <proto>

11.2.6 Random Early Detection (RED/WRED)

76 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

RED

A Random Early Detection (RED) policy starts randomly dropping packets from a queue before it reaches its queue
limit thus avoiding congestion. It is also beneficial for TCP connections as the gradual dropping of packets acts as a
signal for the sender to decrease its transmission rate, avoiding global TCP synchronisation. Applicable to outbound
traffic only.
Available commands:
• Define a RED policy:
set traffic-policy random-detect <policy name>
• Add a description:
set traffic-policy random-detect <policy name> description <description>
• Set a bandwidth limit, default auto:
set traffic-policy random-detect <policy name> bandwidth <rate>
Available suffixes:</u>
• auto (bandwidth limit based on interface speed, default)
• kbit (kilobits per second)
• mbit (megabits per second)
• gbit (gigabits per second)
• kbps (kilobytes per second)
• mbps (megabytes per second)
• gbps (gigabytes per second)

WRED

In contrast to RED, Weighted Random Early Detection (WRED) differentiates between classes of traffic in a single
queue and assigns different precedence to traffic flows accordingly; low priority packets are dropped from a queue
earlier than high priority packets. This is achieved by using the first three bits of the ToS (Type of Service) field to
categorise data streams and in accordance with the defined precedence parameters a decision is made. A WRED policy
is defined with the following parameters:
• precedence
• min-threshold
• max-threshold
• average-packet
• mark-probability
• queue-limit
If the average queue size is lower than the min-threshold, an arriving packet is placed in the queue. If the
average queue size is between min-threshold and max-threshold an arriving packet is either dropped or
placed in the queue depending on the defined mark-probability. In case the average queue size is larger than
max-threshold, packets are dropped. If the current queue size is larger than queue-limit, packets are dropped.
The average queue size depends on its former average size and its current size. If max-threshold is set but
min-threshold is not, then min-threshold is scaled to 50% of max-threshold. In principle, values must
be min-threshold < max-threshold < queue-limit. Applicable to outbound traffic only.

11.2. Traffic policies in VyOS 77


VyOS Documentation, Release 1.2.0-beta

Possible values for WRED parameters:


• precedence - IP precedence, first three bits of the ToS field as defined in RFC791.

Precedence Priority
7 Network Control
6 Internetwork Control
5 CRITIC/ECP
4 Flash Override
3 Flash
2 Immediate
1 Priority
0 Routine

• min-threshold - Min value for the average queue length, packets are dropped if the average queue length reaches
this threshold. Range 0. . . 4096, default is dependent on precedence:

Precedence default min-threshold


7 16
6 15
5 14
4 13
3 12
2 11
1 10
0 9

• max-threshold - Max value for the average queue length, packets are dropped if this value is exceeded. Range
0. . . 4096 packets, default 18.
• average-packet - Average packet size in bytes, default 1024.
• mark-probability - The fraction of packets (n/probability) dropped from the queue when the average queue
length reaches <code>max-threshold</code>, default 10.
• queue-limit - Packets are dropped when the current queue length reaches this value, default 4*<code>max-
threshold</code>.
Usage:
set traffic-policy random-detect <policy-name> precedence <precedence>
[average-packet <bytes> | mark-probability <probability> | max-threshold <max>
| min-threshold <min> | queue-limit <packets>]

11.2.7 Rate control (TBF)

The rate control policy uses the Token Bucket Filter (TBF) algorithm to limit the packet flow to a set rate. Short bursts
can be allowed to exceed the limit. Applicable to outbound traffic only.
Available commands:
• Define a rate control policy:
set traffic-policy rate-control <policy-name>
• Add a description:
set traffic-policy rate-control <policy-name> description <description>

78 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

• Specify a bandwidth limit in kbits/s:


set traffic-policy rate-control <policy-name> bandwidth <rate>
Available suffixes:</u>
• kbit (kilobits per second, default)
• mbit (megabits per second)
• gbit (gigabits per second)
• kbps (kilobytes per second)
• mbps (megabytes per second)
• gbps (gigabytes per second)
• Specify a burst size in bytes, default 15 kilobytes:
set traffic-policy rate-control <policy-name> burst <burst-size>
Available suffixes:
• kb (kilobytes)
• mb (megabytes)
• gb (gigabytes)
• Specify a latency in milliseconds; the maximum amount of time packets are allowed to wait in the queue, default
50 milliseconds:
set traffic-policy rate-control <policy-name> latency
Available suffixes:
• secs (seconds)
• ms (milliseconds, default)
• us (microseconds)

11.2.8 Round robin (DRR)

The round robin policy divides available bandwidth between all defined traffic classes.
Available commands:
• Define a round robin policy:
set traffic-policy round-robin <policy-name>
• Add a description:
set traffic-policy round-robin <policy-name> description <description>
• Define a traffic class ID, range 2. . . 4095:
set traffic-policy round-robin <policy-name> class <class>
Default policy:
• Define a default priority queue:
set traffic-policy round-robin <policy name> default

11.2. Traffic policies in VyOS 79


VyOS Documentation, Release 1.2.0-beta

• Set the number of packets that can be sent per scheduling quantum:
set traffic-policy round-robin <policy name> default quantum <packets>
• Define a maximum queue lenght for the default policy in packets:
set traffic-policy round-robin <policy name> default queue-limit <limit>
• Specify the queuing type for the default policy, available queue types:
• drop-tail
• fair-queue
• priority (based on the DSCP values in the ToS byte)
set traffic-policy round-robin <policy name> default
queue-type <type>

Matching rules

• Define a class matching rule:


set traffic-policy round-robin <policy name> class <class ID> match <match
name>
• Add a match rule description:
set traffic-policy round-robin <policy name> class <class ID> match <match
name> description <description>
• Specify a match criterion based on a destination MAC address (format: xx:xx:xx:xx:xx:xx):
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ether destination <MAC address>
• Specify a match criterion based on a source MAC address (format: xx:xx:xx:xx:xx:xx):
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ether source <MAC address>
• Specify a match criterion based on packet type/protocol, range 0. . . 65535:
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ether protocol <number>
• Specify a match criterion based on ingress interface:
set traffic-policy round-robin <policy name> class <class ID> match <match
name> interface <interface>
• Specify a match criterion based on the fwmark field, range 0. . . .4294967295:
set traffic-policy round-robin <policy name> class <class ID> match <match
name> mark <fwmark>
• Specify a match criterion based on VLAN ID, range 1. . . 4096:
set traffic-policy round-robin <policy name> class <class ID> match <match
name> vif <VLAN ID>*
IPv4

80 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

• Specify a match criterion based on destination IPv4 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ip destination <IPv4 address|port>
• Specify a match criterion based on source IPv4 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ip source <IPv4 address|port>
• Specify a match criterion based on DSCP (Differentiated Services Code Point) value, DSCP value may be
specified as decimal or hexadecimal number:
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ip dscp <DSCP value>
• Specify a match criterion based on IPv4 protocol, protocol may be specified by name (i.e. icmp) or IANA-
assigned number:
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ip protocol <proto>
IPv6
• Specify a match criterion based on destination IPv6 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ipv6 destination <IPv6 address|port>
• Specify a match criterion based on source IPv6 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ipv6 source <IPv6 address|port>
• Specify a match criterion based on DSCP (Differentiated Services Code Point) value, DSCP value may be
specified as decimal or hexadecimal number:
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ipv6 dscp <DSCP value>
• Specify a match criterion based on IPv6 protocol, protocol may be specified by name (i.e. icmp) or IANA-
assigned number:
set traffic-policy round-robin <policy name> class <class ID> match <match
name> ipv6 protocol <proto>

11.2.9 Traffic shaper

The shaper policy uses the Hierarchical Token Bucket algorithm to allocate different amounts of bandwidth to different
traffic classes. In contrast to round robin, shaper limits bandwidth allocation by traffic class whereas round robin
divides the total available bandwidth between classes.
Avialable commands:
• Define a shaper policy:
set traffic-policy shaper <policy-name>

11.2. Traffic policies in VyOS 81


VyOS Documentation, Release 1.2.0-beta

• Add a description:
set traffic-policy shaper <policy-name> description <description>
• Set the available bandwidth for all combined traffic of this policy in kbit/s, default 100%:
set traffic-policy shaper <policy-name> bandwidth <rate>
Available suffixes:
• % (percentage of total bandwidth)
• kbit (kilobits per second)
• mbit (megabits per second)
• gbit (gigabits per second)
• kbps (kilobytes per second)
• mbps (megabytes per second)
• gbps (gigabytes per second)

Traffic classes

• Define a traffic class for a shaper policy, range for class ID is 2. . . 4095:
set traffic-policy shaper <policy-name> class <class ID>
• Add a class description:
set traffic-policy shaper <policy name> class <class ID> description
<description>
• Specify a bandwidth limit for a class, in kbit/s:
set traffic-policy shaper <policy-name> class <class ID> bandwidth <rate>
Available suffixes:
• kbit (kilobits per second, default)
• mbit (megabits per second)
• gbit (gigabits per second)
• kbps (kilobytes per second)
• mbps (megabytes per second)
• gbps (gigabytes per second)
• Set a burst size for a class, the maximum amount of traffic that can be sent, in bytes:
set traffic-policy shaper <policy-name> class <class ID> burst
<burst-size>
Available suffixes:
• kb (kilobytes)
• mb (megabytes)
• gb (gigabytes)

82 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

• Set a bandwidth ceiling for a class in kbit/s:


set traffic-policy shaper <policy-name> class <class ID> ceiling <rate>
Available suffixes:
• % (percentage of total bandwidth)
• kbit (kilobits per second)
• mbit (megabits per second)
• gbit (gigabits per second)
• Set the priority of a class for allocation of additional bandwidth, if unused bandwidth is available. Range 0. . . 7,
lowest number has lowest priority, default 0:
set traffic-policy shaper <policy-name> class <class ID> priority
<priority>
• Set a queue length limit in packets:
set traffic-policy shaper <policy name> class <class ID> queue-limit
<limit>
• Specify a queue type for a traffic class, default fair-queue. Available queue types:
• drop-tail
• fair-queue
• random-detect
• priority
set traffic-policy shaper <policy name> class <class ID>
queue-type <type>
• Modify DSCP field; the DSCP field value of packets in a class can be rewritten to change the forwarding
behaviour and allow for traffic conditioning:
set traffic-policy shaper <policy name> class <class ID> set-dscp <value>
DSCP values as per RFC2474 and RFC4595:

11.2. Traffic policies in VyOS 83


VyOS Documentation, Release 1.2.0-beta

Binary value Configured value Drop rate Description


101110 46 – Expedited forwarding
(EF)
000000 0 – Best effort traffic, de-
fault
001010 10 Low Assured Forward-
ing(AF) 11
001100 12 Medium Assured Forward-
ing(AF) 12
001110 14 High Assured Forward-
ing(AF) 13
010010 18 Low Assured Forward-
ing(AF) 21
010100 20 Medium Assured Forward-
ing(AF) 22
010110 22 High Assured Forward-
ing(AF) 23
011010 26 Low Assured Forward-
ing(AF) 31
011100 28 Medium Assured Forward-
ing(AF) 32
011110 30 High Assured Forward-
ing(AF) 33
100010 34 Low Assured Forward-
ing(AF) 41
100100 36 Medium Assured Forward-
ing(AF) 42
100110 38 High Assured Forward-
ing(AF) 43

Matching rules

• Define a class matching rule:


set traffic-policy shaper <policy name> class <class ID> match <match
name>
• Add a match rule description:
set traffic-policy shaper <policy name> class <class ID> match <match
name> description <description>
• Specify a match criterion based on a destination MAC address (format: xx:xx:xx:xx:xx:xx):
set traffic-policy shaper <policy name> class <class ID> match <match
name> ether destination <MAC address>
• Specify a match criterion based on a source MAC address (format: xx:xx:xx:xx:xx:xx):
set traffic-policy shaper <policy name> class <class ID> match <match
name> ether source <MAC address>
• Specify a match criterion based on packet type/protocol, range 0. . . 65535:
set traffic-policy shaper <policy name> class <class ID> match <match
name> ether protocol <number>

84 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

• Specify a match criterion based on ingress interface:


set traffic-policy shaper <policy name> class <class ID> match <match
name> interface <interface>
• Specify a match criterion based on the fwmark field, range 0. . . .4294967295:
set traffic-policy shaper <policy name> class <class ID> match <match
name> mark <fwmark>
• Specify a match criterion based on VLAN ID, range 1. . . 4096:
set traffic-policy round-robin <policy name> class <class ID> match <match
name> vif <VLAN ID>
IPv4
• Specify a match criterion based on destination IPv4 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy shaper <policy name> class <class ID> match <match
name> ip destination <IPv4 address|port>
• Specify a match criterion based on source IPv4 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy shaper <policy name> class <class ID> match <match
name> ip source <IPv4 address|port>
• Specify a match criterion based on DSCP (Differentiated Services Code Point) value, DSCP value may be
specified as decimal or hexadecimal number:
set traffic-policy shaper <policy name> class <class ID> match <match
name> ip dscp <DSCP value>
• Specify a match criterion based on IPv4 protocol, protocol may be specified by name (i.e. icmp) or IANA-
assigned number:
set traffic-policy shaper <policy name> class <class ID> match <match
name> ip protocol <proto>
IPv6
• Specify a match criterion based on destination IPv6 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy shaper <policy name> class <class ID> match <match
name> ipv6 destination <IPv6 address|port>
• Specify a match criterion based on source IPv6 address and/or port, port may be specified as number or
service name (i.e. ssh):
set traffic-policy shaper <policy name> class <class ID> match <match
name> ipv6 source <IPv6 address|port>
• Specify a match criterion based on DSCP (Differentiated Services Code Point) value, DSCP value may be
specified as decimal or hexadecimal number:
set traffic-policy shaper <policy name> class <class ID> match <match
name> ipv6 dscp <DSCP value>
• Specify a match criterion based on IPv6 protocol, protocol may be specified by name (i.e. icmp) or IANA-
assigned number:

11.2. Traffic policies in VyOS 85


VyOS Documentation, Release 1.2.0-beta

set traffic-policy shaper <policy name> class <class ID> match <match
name> ipv6 protocol <proto>

11.2.10 shaper-hfsc (HFSC + sfq)

TBD

11.3 Ingress shaping

The case of ingress shaping. Only a limiter policy can be applied directly for ingress traffic on an interface. It is
possible though to use what is called an Intermediate Functional Block (IFB) to allow the usage of any policy on the
ingress traffic.
Let’s assume eth0 is your WAN link. You created two traffic-policies: WAN-IN and WAN-OUT.
Steps to do:
• First, create the IFB:
set interfaces input ifb0 description "WAN Input"
• Apply the WAN-OUT traffic-policy to ifb0 input.
set interfaces input ifb0 traffic-policy in WAN-IN
• Redirect traffic from eth0 to ifb0
set interfaces ethernet eth0 redirect ifb0

11.4 Classful policies and traffic matching

limiter, round-robin, priority-queue, shaper and shaper-hfsc distribute traffic into different classes with different op-
tions. In VyOS, classes are numbered and work like firewall rules. e.g:
set traffic-policy shaper SHAPER class 30

11.4.1 Matching traffic

A class can have multiple match filters:

set traffic-policy <POLICY> <POLICY-NAME> class N match MATCH-FILTER-NAME

Example:

set traffic-policy shaper SHAPER class 30 match HTTP


set traffic-policy shaper SHAPER class 30 match HTTPs

A match filter contains multiple criteria and will match traffic if all those criteria are true.
For example:

set traffic-policy shaper SHAPER class 30 match HTTP ip protocol tcp


set traffic-policy shaper SHAPER class 30 match HTTP ip source port 80

This will match tcp traffic with source port 80.

86 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

description

set traffic-policy shaper SHAPER class 30 match MATCH description "match filter
˓→description"

ether

edit traffic-policy shaper SHAPER class 30 match MATCH ether

destination

protocol

source

interface

edit traffic-policy shaper SHAPER class 30 match MATCH interface <interface-name>

ip

edit traffic-policy shaper SHAPER class 30 match MATCH ip

destination

set destination address IPv4-SUBNET


set destination port U32-PORT

dscp

set dscp DSCPVALUE

max-length

set max-length U32-MAXLEN

Will match ipv4 packets with a total length lesser than set value.

protocol

set protocol <IP PROTOCOL>

11.4. Classful policies and traffic matching 87


VyOS Documentation, Release 1.2.0-beta

source

set source address IPv4-SUBNET


set source port U32-PORT

tcp

Note: You must set ip protocol to TCP to use the TCP filters.

Note: This filter will only match packets with an IPv4 header length of 20 bytes (which is the majority of IPv4
packets anyway).

set tcp ack

Will match tcp packets with ACK flag set.

set tcp syn

Will match tcp packets with SYN flag set.

ipv6

edit traffic-policy shaper SHAPER class 30 match MATCH ipv6

destination

set destination address IPv6-SUBNET


set destination port U32-PORT

dscp

set dscp DSCPVALUE

max-length

set max-length U32-MAXLEN

Will match ipv6 packets with a payload length lesser than set value.

88 Chapter 11. QoS and Traffic Policy


VyOS Documentation, Release 1.2.0-beta

protocol

set protocol IPPROTOCOL

source

set source address IPv6-SUBNET


set source port U32-PORT

tcp

Note: You must set ipv6 protocol to TCP to use the TCP filters.

Note: This filter will only match IPv6 packets with no header extension, see http://en.wikipedia.org/wiki/IPv6_
packet#Extension_headers for no header extension.

set tcp ack

Will match tcp packets with ACK flag set.

set tcp syn

Will match tcp packets with SYN flag set.

mark

set traffic-policy shaper SHAPER class 30 match MATCH mark **firewall-mark**

vif

set traffic-policy shaper SHAPER class 30 match MATCH vif **vlan-tag**

set interfaces ethernet eth0 traffic-policy out 'WAN-OUT'


set interfaces ethernet eth1 traffic-policy out 'LAN-OUT'

11.4. Classful policies and traffic matching 89


VyOS Documentation, Release 1.2.0-beta

90 Chapter 11. QoS and Traffic Policy


CHAPTER 12

Services

This chapter descriptes the available system/network services provided by VyOS.

12.1 Conntrack

One of the important features built on top of the Netfilter framework is connection tracking. Connection tracking
allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets
which may make up that connection. NAT relies on this information to translate all related packets in the same way,
and iptables can use this information to act as a stateful firewall.
The connection state however is completely independent of any upper-level state, such as TCP’s or SCTP’s state.
Part of the reason for this is that when merely forwarding packets, i.e. no local delivery, the TCP engine may not
necessarily be invoked at all. Even connectionless-mode transmissions such as UDP, IPsec (AH/ESP), GRE and other
tunneling protocols have, at least, a pseudo connection state. The heuristic for such protocols is often based upon a
preset timeout value for inactivity, after whose expiration a Netfilter connection is dropped.
Each Netfilter connection is uniquely identified by a (layer-3 protocol, source address, destination address, layer-4
protocol, layer-4 key) tuple. The layer-4 key depends on the transport protocol; for TCP/UDP it is the port numbers,
for tunnels it can be their tunnel ID, but otherwise is just zero, as if it were not part of the tuple. To be able to inspect
the TCP port in all cases, packets will be mandatorily defragmented.

12.1.1 Configuration

# Protocols only for which local conntrack entries will be synced (tcp, udp, icmp,
˓→sctp)

set service conntrack-sync accept-protocol

# Queue size for listening to local conntrack events (in MB)


set service conntrack-sync event-listen-queue-size <int>

# Protocol for which expect entries need to be synchronized. (all, ftp, h323, nfs,
˓→sip, sqlnet)
(continues on next page)

91
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


set service conntrack-sync expect-sync

# Failover mechanism to use for conntrack-sync [REQUIRED]


set service conntrack-sync failover-mechanism

set service conntrack-sync cluster group <string>


set service conntrack-sync vrrp sync-group <1-255>

# IP addresses for which local conntrack entries will not be synced


set service conntrack-sync ignore-address ipv4 <x.x.x.x>

# Interface to use for syncing conntrack entries [REQUIRED]


set service conntrack-sync interface <ifname>

# Multicast group to use for syncing conntrack entries


set service conntrack-sync mcast-group <x.x.x.x>

# Queue size for syncing conntrack entries (in MB)


set service conntrack-sync sync-queue-size <size>

12.1.2 Example

The next exemple is a simple configuration of conntrack-sync.

Fig. 1: Conntrack Sync Example

First of all, make sure conntrack is enabled by running

92 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

show conntrack table ipv4

If the table is empty and you have a warning message, it means conntrack is not enabled. To enable conntrack, just
create a NAT or a firewall rule.

set firewall state-policy established action accept

You now should have a conntrack table

$ show conntrack table ipv4


TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
TW - TIME WAIT, CL - CLOSE, LI - LISTEN

CONN ID Source Destination Protocol TIMEOUT


1015736576 10.35.100.87:58172 172.31.20.12:22 tcp [6] ES 430279
1006235648 10.35.101.221:57483 172.31.120.21:22 tcp [6] ES 413310
1006237088 10.100.68.100 172.31.120.21 icmp [1] 29
1015734848 10.35.100.87:56282 172.31.20.12:22 tcp [6] ES 300
1015734272 172.31.20.12:60286 239.10.10.14:694 udp [17] 29
1006239392 10.35.101.221 172.31.120.21 icmp [1] 29

Now configure conntrack-sync service on router1 and router2

set service conntrack-sync accept-protocol 'tcp,udp,icmp'


set service conntrack-sync event-listen-queue-size '8'
set service conntrack-sync failover-mechanism cluster group 'GROUP' # Or VRRP
set service conntrack-sync interface 'eth0'
set service conntrack-sync mcast-group '225.0.0.50'
set service conntrack-sync sync-queue-size '8'

On the active router, you should have informations in the internal-cache of conntrack-sync. The same current active
connections number should be shown in the external-cache of the standby router
On active router run:

$ show conntrack-sync statistics

Main Table Statistics:

cache internal:
current active connections: 10
connections created: 8517 failed: 0
connections updated: 127 failed: 0
connections destroyed: 8507 failed: 0

cache external:
current active connections: 0
connections created: 0 failed: 0
connections updated: 0 failed: 0
connections destroyed: 0 failed: 0

traffic processed:
0 Bytes 0 Pckts

multicast traffic (active device=eth0):


868780 Bytes sent 224136 Bytes recv
(continues on next page)

12.1. Conntrack 93
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


20595 Pckts sent 14034 Pckts recv
0 Error send 0 Error recv

message tracking:
0 Malformed msgs 0 Lost msgs

On standby router run:

$ show conntrack-sync statistics

Main Table Statistics:

cache internal:
current active connections: 0
connections created: 0 failed: 0
connections updated: 0 failed: 0
connections destroyed: 0 failed: 0

cache external:
current active connections: 10
connections created: 888 failed: 0
connections updated: 134 failed: 0
connections destroyed: 878 failed: 0

traffic processed:
0 Bytes 0 Pckts

multicast traffic (active device=eth0):


234184 Bytes sent 907504 Bytes recv
14663 Pckts sent 21495 Pckts recv
0 Error send 0 Error recv

message tracking:
0 Malformed msgs 0 Lost msgs

12.2 DHCP Server

Multiple DHCP Servers can be run from a single machine. Each DHCP service is identified by a shared-network-name.

12.2.1 DHCP Server Example

In this example, we are offering address space in the 172.16.17.0/24 network, which is on eth1, and pppoe0 is our
connection to the internet. We are using the network name dhcpexample.

12.2.2 Prerequisites

Configuring the PPPoE interface is assumed to be done already, and appears on pppoe0

94 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

12.2.3 Interface Configuration

set interface eth1 address 172.16.17.1/24

Multiple ranges can be defined and can contain holes.

set service dhcp-server shared-network-name dhcpexample authoritative


set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 default-
˓→router 172.16.17.1

set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 dns-


˓→server 172.16.17.1

set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 lease


˓→86400

set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 range 0


˓→start 172.16.17.100

set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 range 0


˓→stop 172.16.17.199

12.2.4 Explanation

• set service dhcp-server shared-network-name dhcpexample authoritative


This says that this device is the only DHCP server for this network. If other devices are trying to offer DHCP
leases, this machine will send ‘DHCPNAK’ to any device trying to request an IP address that is not valid for
this network.
• set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.
0/24 default-router 172.16.17.1
This is a configuration parameter for the subnet, saying that as part of the response, tell the client that I am the
default router for this network
• set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.
0/24 dns-server 172.16.17.1
This is a configuration parameter for the subnet, saying that as part of the response, tell the client that I am the
DNS server for this network. If you do not want to run a DNS server, you could also provide one of the public
DNS servers, such as google’s. You can add multiple entries by repeating the line.
• set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.
0/24 lease 86400
Assign the IP address to this machine for 24 hours. It is unlikely you’d need to shorten this period, unless you
are running a network with lots of devices appearing and disappearing.
• set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.
0/24 range 0 start 172.16.17.100
Make a range of addresses available for clients starting from .100 [. . . ]
• set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.
0/24 range 0 stop 172.16.17.199
[. . . ] and ending at .199

12.2.5 Failover

VyOS provides support for DHCP failover:

12.2. DHCP Server 95


VyOS Documentation, Release 1.2.0-beta

set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover


˓→local-address '192.168.0.1'

set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover


˓→name 'foo'

set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover


˓→peer-address '192.168.0.2'

Note: name must be identical on both sides!

The primary and secondary statements determines whether the server is primary or secondary

set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover


˓→status 'primary'

or

set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' failover


˓→status 'secondary'

Note: In order for the primary and the secondary DHCP server to keep their lease tables in sync, they must be able to
reach each other on TCP port 647. If you have firewall rules in effect, adjust them accordingly.

12.2.6 Static mappings MAC/IP

set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 static-


˓→mapping static-mapping-01 ip-address 172.16.17.10

set service dhcp-server shared-network-name dhcpexample subnet 172.16.17.0/24 static-


˓→mapping static-mapping-01 mac-address ff:ff:ff:ff:ff:ff

12.2.7 DHCP server options

default-router (DHCP option 003) set service dhcp-server shared-network-name


dhcpexample subnet 172.16.17.0/24 default-router <ROUTER-IP>
dns-server (DHCP option 006) set service dhcp-server shared-network-name dhcpexample
subnet 172.16.17.0/24 dns-server <DNS-SERVER-IP>
domain-name Client domain name (DHCP option 015) set service dhcp-server
shared-network-name dhcpexample subnet 172.16.17.0/24 domain-name
"<DOMAIN-NAME>"
domain-search (DHCP option 119) This option can be given multiple times if you need multiple search
domains set service dhcp-server shared-network-name dhcpexample subnet
172.16.17.0/24 domain-search "<DOMAIN_NAME_1>" set service dhcp-server
shared-network-name dhcpexample subnet 172.16.17.0/24 domain-search
"<DOMAIN_NAME_2>"

96 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

12.3 DHCPv6 server

VyOS provides DHCPv6 server functionality which is described in this section. In order to use the DHCPv6 server it
has to be enabled first:

set service dhcpv6-server

To restart the DHCPv6 server (operational mode):

restart dhcpv6 server

To show the current status of the DHCPv6 server use:

show dhcpv6 server status

Show statuses of all assigned leases:

show dhcpv6 server leases

12.3.1 DHCPv6 server options

DHCPv6 server preference value

Clients receiving advertise messages from multiple servers choose the server with the highest preference value. The
range for this value is 0. . . 255. Set a preference value for the DHCPv6 server:

set service dhcpv6-server preference <preference value>

Delete a preference:

set service dhcpv6-server preference

Show current preference:

show service dhcpv6-server preference

Specify address lease time

The default lease time for DHCPv6 leases is 24 hours. This can be changed by supplying a default-time, maximum-time
and minimum-time (all values in seconds):

set service dhcpv6-server shared-network-name <name> subnet <ipv6net> lease-time


˓→{default <default-time> | maximum <maximum-time> | minimum <minimum-time>}

Reset the custom lease times:

delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> lease-time


˓→{default | maximum | minimum}

Show the current configuration:

show service dhcpv6-server shared-network-name <name> subnet <ipv6net> lease-time


˓→{default | maximum | minimum}

12.3. DHCPv6 server 97


VyOS Documentation, Release 1.2.0-beta

Specify NIS domain

A Network Information (NIS) domain can be set to be used for DHCPv6 clients:

set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-domain <nis-


˓→domain-name>

To Delete the NIS domain:

delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-domain


˓→<nis-domain-name>

Show a configured NIS domain:

show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-domain


˓→<nis-domain-name>

Specify NIS+ domain

The procedure to specify a Network Information Service Plus (NIS+) domain is similar to the NIS domain one:

set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-domain


˓→<nisplus-domain-name>

To Delete the NIS+ domain:

delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-


˓→domain <nisplus-domain-name>

Show a configured NIS domain:


# show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-domain <nisplus-
domain-name>

Specify NIS server address

To specify a NIS server address for DHCPv6 clients:

set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-server


˓→<IPv6 address>

Delete a specified NIS server address:

delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-server


˓→<IPv6 address>

Show specified NIS server addresses:

show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nis-server

Specify NIS+ server address

To specify a NIS+ server address for DHCPv6 clients:

98 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

set service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-server


˓→<IPv6 address>

Delete a specified NIS+ server address:

delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-


˓→server <IPv6 address>

Show specified NIS+ server addresses:

show service dhcpv6-server shared-network-name <name> subnet <ipv6net> nisplus-server

Specify a SIP server address for DHCPv6 clients

By IPv6 address

A Session Initiation Protocol (SIP) server address can be specified for DHCPv6 clients:

set service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-


˓→address <IPv6 address>

Delete a specified SIP server address:

delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-


˓→address <IPv6 address>

Show specified SIP server addresses:

show service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-


˓→address

By FQDN

A name for SIP server can be specified:

set service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-name


˓→<sip-server-name>

Delete a specified SIP server name:

delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-


˓→name <sip-server-name>

Show specified SIP server names:

show service dhcpv6-server shared-network-name <name> subnet <ipv6net> sip-server-name

Simple Network Time Protocol (SNTP) server address for DHCPv6 clients

A SNTP server address can be specified for DHCPv6 clients:

12.3. DHCPv6 server 99


VyOS Documentation, Release 1.2.0-beta

set service dhcpv6-server shared-network-name <name> subnet <ipv6net> sntp-server-


˓→address <IPv6 address>

Delete a specified SNTP server address:

delete service dhcpv6-server shared-network-name <name> subnet <ipv6net> sntp-server-


˓→address <IPv6 address>

Show specified SNTP server addresses:

show service dhcpv6-server shared-network-name <name> subnet <ipv6net> sntp-server-


˓→address

12.3.2 DHCPv6 address pools

DHCPv6 address pools must be configured for the system to act as a DHCPv6 server. The following example describes
a common scenario.

Example 1: DHCPv6 address pool

A shared network named NET1 serves subnet 2001:db8:100::/64 which is connected to eth1, a DNS server at
2001:db8:111::111 is used for name services. The range of the address pool shall be ::100 through ::199. The
lease time will be left at the default value which is 24 hours.

set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 address-


˓→range start 2001:db8:100::100 stop 2001:db8:100::199

set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 name-


˓→server 2001:db8:111::111

Commit the changes and show the configuration:

commit
show service dhcpv6-server
shared-network-name NET1 {
subnet 2001:db8:100::/64 {
address-range {
start 2001:db8:100::100 {
stop 2001:db8:100::199
}
}
name-server 2001:db8:111::111
}
}

12.3.3 Static mappings

In order to map specific IPv6 addresses to specific hosts static mappings can be created. The following example
explains the process.

100 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

Example 1: Static IPv6 MAC-based mapping

IPv6 address 2001:db8:100::101 shall be statically mapped to a device with MAC address 00:15:c5:b7:5e:23, this
host-specific mapping shall be named client1.

Note: The MAC address identifier is defined by the last 4 byte of the MAC address.

set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 static-


˓→mapping client1 ipv6-address 2001:db8:100::101

set service dhcpv6-server shared-network-name NET1 subnet 2001:db8:100::/64 static-


˓→mapping client1 identifier c5b75e23

Commit the changes and show the configuration:

show service dhcp-server shared-network-name NET1


shared-network-name NET1 {
subnet 2001:db8:100::/64 {
name-server 2001:db8:111::111
address-range {
start 2001:db8:100::100 {
stop 2001:db8:100::199 {
}
}
static-mapping client1 {
ipv6-address 2001:db8:100::101
identifier c5b75e23
}
}
}

12.4 DHCP Relay

If you want your router to forward DHCP requests to an external DHCP server you can configure the system to act as
a DHCP relay agent. The DHCP relay agent works with IPv4 and IPv6 addresses.
All interfaces used for the DHCP relay must be configured. See https://wiki.vyos.net/wiki/Network_address_setup.

12.4.1 DHCP relay example

In this example the interfaces used for the DHCP relay are eth1 and eth2. The router receives DHCP client requests
on eth1 and relays them through eth2 to the DHCP server at 10.0.1.4.

12.4.2 Configuration

Enable DHCP relay for eth1 and eth2:

set service dhcp-relay interface eth1


set service dhcp-relay interface eth2

Set the IP address of the DHCP server:

12.4. DHCP Relay 101


VyOS Documentation, Release 1.2.0-beta

Fig. 2: DHCP relay example

set service dhcp-relay server 10.0.1.4

The router should discard DHCP packages already containing relay agent information to ensure that only requests
from DHCP clients are forwarded:

set service dhcp-relay relay-options relay-agents-packets discard

Commit the changes and show the results:

commit
show service dhcp-relay
interface eth1
interface eth2
server 10.0.1.4
relay-options {
relay-agents-packets discard
}

The DHCP relay agent can be restarted with:

restart dhcp relay-agent

12.4.3 DHCPv6 relay example

In this example DHCPv6 requests are received by the router on eth1 (listening interface) and forwarded through eth2
(upstream interface) to the external DHCPv6 server at 2001:db8:100::4.

Configuration

Set eth1 to be the listening interface for the DHCPv6 relay:

set service dhcpv6-relay listen-interface eth1

Set eth2 to be the upstream interface and specify the IPv6 address of the DHCPv6 server:

102 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

Fig. 3: DHCPv6 relay example

set service dhcpv6-relay upstream-interface eth2 address 2001:db8:100::4

Commit the changes and show results:

commit
show service dhcpv6-relay
listen-interface eth1 {
}
upstream-interface eth2 {
address 2001:db8:100::4
}

Show the current status of the DHCPv6 relay agent:

show dhcpv6 relay-agent status

The DHCPv6 relay agent can be restarted with:

restart dhcpv6 relay-agent

12.4.4 Additional parameters

DHCP relay agent options

Set the maximum hop count before packets are discarded. Range 0. . . 255, default 10.
• set service dhcp-relay relay-options hop-count 'count'
Set maximum size of DHCP packets including relay agent information. If a DHCP packet size surpasses this value it
will be forwarded without appending relay agent information. Range 64. . . 1400, default 576.
• set service dhcp-relay relay-options max-size 'size'
Four policies for reforwarding DHCP packets exist:
• append: The relay agent is allowed to append its own relay information to a received DHCP packet, disregarding
relay information already present in the packet.

12.4. DHCP Relay 103


VyOS Documentation, Release 1.2.0-beta

• discard: Received packets which already contain relay information will be discarded.
• forward: All packets are forwarded, relay information already present will be ignored.
• replace: Relay information already present in a packet is stripped and replaced with the router’s own relay
information set.
• set service dhcp-relay relay-options relay-agents-packet 'policy'

DHCPv6 relay agent options

Set maximum hop count before packets are discarded. Default: 10.
• set service dhcpv6-relay max-hop-count 'count'
If this is set the relay agent will insert the interface ID. This option is set automatically if more than one listening
interfaces are in use.
• set service dhcpv6-relay use-interface-id-option

12.5 DNS Forwarding

Use DNS forwarding if you want your router to function as a DNS server for the local network. There are several
options, the easiest being ‘forward all traffic to the system DNS server(s)’ (defined with set system name-server):

set service dns forwarding system

Manually setting DNS servers for forwarding:

set service dns forwarding name-server 8.8.8.8


set service dns forwarding name-server 8.8.4.4

Manually setting DNS servers with IPv6 connectivity:

set service dns forwarding name-server 2001:4860:4860::8888


set service dns forwarding name-server 2001:4860:4860::8844

Setting a forwarding DNS server for a specific domain:

set service dns forwarding domain example.com server 192.0.2.1

12.5.1 Example 1

Router with two interfaces eth0 (WAN link) and eth1 (LAN). A DNS server for the local domain (example.com) is at
192.0.2.1, other DNS requests are forwarded to Google’s DNS servers.

set service dns forwarding domain example.com server 192.0.2.1


set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding listen-on 'eth1'

104 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

12.5.2 Example 2

Same as example 1 but with additional IPv6 addresses for Google’s public DNS servers:
set service dns forwarding domain example.com server 192.0.2.1
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding name-server 2001:4860:4860::8888
set service dns forwarding name-server 2001:4860:4860::8844
set service dns forwarding listen-on 'eth1'

12.6 Dynamic DNS

VyOS is able to update a remote DNS record when an interface gets a new IP address. In order to do so, VyOS
includes ddclient, a perl script written for this exact purpose.
ddclient uses two methods to update a DNS record. The first one will send updates directly to the DNS daemon, in
compliance with RFC2136. The second one involves a third party service, like DynDNS.com or any other similar
website. This method uses HTTP requests to transmit the new IP address. You can configure both in VyOS.

12.6.1 VyOS CLI and RFC2136

First, create an RFC2136 config node :


edit service dns dynamic interface eth0 rfc2136 <confignodename>

Present your RNDC key to ddclient :


set key /config/dyndns/mydnsserver.rndc.key

Set the DNS server IP/FQDN :


set server dns.mydomain.com

Set the NS zone to be updated :


set zone mydomain.com

Set the records to be updated :


set record dyn
set record dyn2

You can optionally set a TTL (note : default value is 600 seconds) :
set ttl 600

This will generate the following ddclient config blocks:


server=dns.mydomain.com
protocol=nsupdate
password=/config/dyndns/mydnsserver.rndc.key
ttl=600
zone=mydomain.com
(continues on next page)

12.6. Dynamic DNS 105


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


dyn
server=dns.mydomain.com
protocol=nsupdate
password=/config/dyndns/mydnsserver.rndc.key
ttl=600
zone=mydomain.com
dyn2

You can also keep a different dns zone updated. Just create a new config node:
edit service dns dynamic interface eth0 rfc2136 <confignode2>

12.6.2 VyOS CLI and HTTP dynamic DNS services

VyOS is also able to use any service relying on protocols supported by ddclient.
To use such a service, you must define a login, a password, one or multiple hostnames, a protocol and a server.
edit service dns dynamic interface eth0 service HeNet
set login my-login # set password my-password
set host-name my-tunnel-id
set protocol dyndns2
set server ipv4.tunnelbroker.net

VyOS is also shipped with a list of known services. You don’t need to set the protocol and server value as VyOS has
defaults provided for those. These are the services VyOS knows about:
• afraid
• changeip
• dnspark
• dslreports
• dyndns
• easydns
• namecheap
• noip
• zoneedit
To use DynDNS for example:
edit service dns dynamic interface eth0 service dyndns
set login my-login
set password my-password
set host-name my-dyndns-hostname

It’s possible to use multiple services :


edit service dns dynamic interface eth0 service dyndns
set login my-login
set password my-password
set host-name my-dyndns-hostname
edit service dns dynamic interface eth0 service HeNet
(continues on next page)

106 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


set login my-login
set password my-password
set host-name my-tunnel-id
set protocol dyndns2
set server ipv4.tunnelbroker.net

12.6.3 ddclient behind NAT

By default, ddclient will update a dynamic dns record using the IP address directly attached to the interface. If your
VyOS instance is behind NAT, your record will be updated to point to your internal IP.
ddclient has another way to determine the WAN IP address. This is controlled by these two options:

set service dns dynamic interface eth0 use-web url


set service dns dynamic interface eth0 use-web skip

ddclient will load the webpage at [url] and will try to extract an IP address for the response. ddclient will skip any
address located before the string set in [skip].

12.7 LLDP

The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol in the Internet Protocol Suite used
by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network,
principally wired Ethernet.[1] The protocol is formally referred to by the IEEE as Station and Media Access Control
Connectivity Discovery specified in IEEE 802.1AB and IEEE 802.3-2012 section 6 clause 79.
LLDP performs functions similar to several proprietary protocols, such as Cisco Discovery Protocol, Foundry Discov-
ery Protocol, Nortel Discovery Protocol and Link Layer Topology Discovery.

12.7.1 Information gathered

Information gathered with LLDP is stored in the device as a management information database (MIB) and can be
queried with the Simple Network Management Protocol (SNMP) as specified in RFC 2922. The topology of an
LLDP-enabled network can be discovered by crawling the hosts and querying this database. Information that may be
retrieved include:
• System name and description
• Port name and description
• VLAN name
• IP management address
• System capabilities (switching, routing, etc.)
• MAC/PHY information
• MDI power
• Link aggregation

12.7. LLDP 107


VyOS Documentation, Release 1.2.0-beta

12.7.2 Configuration

• Enable service with:


set service lldp

Options

• Configure a Define management-address:


set service lldp management-address <x.x.x.x>
• Define listening interfaces
set service lldp interface <all|interface name>
• LLDPd also implements an SNMP subagent. To Enable SNMP queries of the LLDP database:
set service lldp snmp enable
• Enable optional/other protocols
set service lldp legacy-protocols cdp
Supported legacy protocols:
• cdp - Listen for CDP for Cisco routers/switches
• edp - Listen for EDP for Extreme routers/switches
• fdp - Listen for FDP for Foundry routers/switches
• sonmp - Listen for SONMP for Nortel routers/switches

12.7.3 Display neighbors

• Display with:
show lldp neighbors
Exemple:

vyos@vyos:~# show lldp neighbors


Capability Codes: R - Router, B - Bridge, W - Wlan r - Repeater, S - Station
D - Docsis, T - Telephone, O - Other
Device ID Local Proto Cap Platform Port ID
--------- ----- ----- --- -------- -------
swA309 eth0 LLDP ? Cisco IOS Software, GigE0/33

• Options:
• detail - Show lldp neighbors detail
• interface - Show LLDP for specified interface

12.7.4 Troubleshooting

Use operationnal command show log lldp to display logs.

108 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

12.8 mDNS Repeater

Starting with VyOS 1.2 a Multicast DNS (mDNS) repeater functionality is provided.
Multicast DNS uses the 224.0.0.51 address, which is “administratively scoped” and does not leave the subnet. It re-
broadcast mDNS packets from one interface to other interfaces. This enables support for e.g. Apple Airplay devices
across multiple VLANs.
To enable mDNS repeater you need to configure at least two interfaces. To re- broadcast all mDNS packets from eth0
to eth1 and vice versa run:

set service mdns repeater interface eth0


set service mdns repeater interface eth1

mDNS repeater can be temporarily disabled without deleting the service using

set service mdns repeater disable

Note: You can not run this in a VRRP setup, if multiple mDNS repeaters are launched in a subnet you will experience
the mDNS packet storm death!

12.9 PPPoE server

VyOS utilizes accel-ppp to provide PPPoE server functionality. It can be used with local authentication or a connected
RADIUS server.

Note: Please be aware, due to an upstream bug, config changes/commits will restart the ppp daemon and will reset
existing PPPoE connections from connected users, in order to become effective.**

12.9.1 Configuration

The example below uses ACN as access-concentrator name, assigns an address from the pool 10.1.1.100-111, termi-
nates at the local endpoint 10.1.1.1 and serves requests only on eth1.

set service pppoe-server access-concentrator 'ACN'


set service pppoe-server authentication local-users username foo password 'bar'
set service pppoe-server authentication mode 'local'
set service pppoe-server client-ip-pool start '10.1.1.100'
set service pppoe-server client-ip-pool stop '10.1.1.111'
set service pppoe-server dns-servers server-1 '10.100.100.1'
set service pppoe-server dns-servers server-2 '10.100.200.1'
set service pppoe-server interface 'eth1'
set service pppoe-server local-ip '10.1.1.2'

Connections can be locally checked via the command

show pppoe-server sessions


ifname | username | calling-sid | ip | type | comp | state | uptime
-------+----------+-------------------+------------+-------+------+--------+----------
ppp0 | foo | 08:00:27:fa:3e:50 | 10.1.1.100 | pppoe | | active | 00:04:15

12.8. mDNS Repeater 109


VyOS Documentation, Release 1.2.0-beta

To use a radius server, you need to switch to authentication mode radius and of course need to specify an IP for the
server. You can have multiple RADIUS server configured, if you wish to achieve redundancy.

set service pppoe-server access-concentrator 'ACN'


set service pppoe-server authentication mode 'radius'
set service pppoe-server authentication radius-server 10.1.100.1 secret 'secret'
set service pppoe-server interface 'eth1'
set service pppoe-server local-ip '10.1.1.2'

RADIUS provides the IP addresses in the example above via Framed-IP-Address.

12.10 UDP broadcast relay

Certain vendors use broadcasts to identify their equipemnt within one ethernet segment. Unfortunately if you split
your network with multiple VLANs you loose the ability of identifying your equiment.
This is where “UDP broadcast relay” comes into play! It will forward received broadcasts to other configured net-
works.
Every UDP port which will be forward requires one unique ID. Currently we support 99 IDs!
Example #1: To forward all broadcast packets received on UDP port 1900 on eth3, eth4 or eth5 to all other interfaces
in this configuration.

set service broadcast-relay id 1 description 'SONOS'


set service broadcast-relay id 1 interface 'eth3'
set service broadcast-relay id 1 interface 'eth4'
set service broadcast-relay id 1 interface 'eth5'
set service broadcast-relay id 1 port '1900'

Example #2: To Forward all broadcasts packets received on UDP port 6969 on eth3 or eth4 to the other interface in
this configuration.

set service broadcast-relay id 2 description 'SONOS MGMT'


set service broadcast-relay id 2 interface 'eth3'
set service broadcast-relay id 2 interface 'eth4'
set service broadcast-relay id 2 port '6969'

12.10.1 Disable Instance(s)

Each broadcast relay instance can be individually disabled without deleting the configured node by using the following
command:

set service broadcast-relay id <n> disable

In addition you can also disable the whole service without removing the configuration by:

set service broadcast-relay disable

Note: You can run the UDP broadcast relay service on multiple routers connected to a subnet. There is NO UDP
broadcast relay packet storm!

110 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

12.11 SNMP

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing infor-
mation about managed devices on IP networks and for modifying that information to change device behavior. Devices
that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.
SNMP is widely used in network management for network monitoring. SNMP exposes management data in the form
of variables on the managed systems organized in a management information base (MIB) which describe the system
status and configuration. These variables can then be remotely queried (and, in some circumstances, manipulated) by
managing applications.
Three significant versions of SNMP have been developed and deployed. SNMPv1 is the original version of the proto-
col. More recent versions, SNMPv2c and SNMPv3, feature improvements in performance, flexibility and security.
SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). It
consists of a set of standards for network management, including an application layer protocol, a database schema,
and a set of data objects.

12.11.1 Overview and basic concepts

In typical uses of SNMP, one or more administrative computers called managers have the task of monitoring or
managing a group of hosts or devices on a computer network. Each managed system executes a software component
called an agent which reports information via SNMP to the manager.
An SNMP-managed network consists of three key components:
• Managed devices
• Agent – software which runs on managed devices
• Network management station (NMS) – software which runs on the manager
A managed device is a network node that implements an SNMP interface that allows unidirectional (read-only) or
bidirectional (read and write) access to node-specific information. Managed devices exchange node-specific informa-
tion with the NMSs. Sometimes called network elements, the managed devices can be any type of device, including,
but not limited to, routers, access servers, switches, cable modems, bridges, hubs, IP telephones, IP video cameras,
computer hosts, and printers.
An agent is a network-management software module that resides on a managed device. An agent has local knowledge
of management information and translates that information to or from an SNMP-specific form.
A network management station executes applications that monitor and control managed devices. NMSs provide the
bulk of the processing and memory resources required for network management. One or more NMSs may exist on
any managed network.

Note: VyOS SNMP supports both IPv4 and IPv6.

12.11.2 SNMP protocol versions

VyOS itself supports SNMPv2 (version 2) and SNMPv3 (version 3) where the later is recommended because of
improved security (optional authentication and encryption).

12.11. SNMP 111


VyOS Documentation, Release 1.2.0-beta

Fig. 4: Image thankfully borrowed from https://en.wikipedia.org/wiki/File:SNMP_communication_principles_


diagram.PNG which is under the GNU Free Documentation License

12.11.3 SNMPv2

SNMPv2 is the original and most commonly used version. For authorizing clients, SNMP uses the concept of commu-
nities. Communities may have authorization set to read only (this is most common) or to read and write (this option is
not actively used in VyOS).
SNMP can work synchronously or asynchronously. In synchronous communication, the monitoring system queries
the router periodically. In asynchronous, the router sends notification to the “trap” (the monitoring host).
SNMPv2 does not support any authentication mechanisms, other than client source address, so you should specify
addresses of clients allowed to monitor the router. Note that SNMPv2 also supports no encryption and always sends
data in plain text.

Example

# Define a community
set service snmp community routers authorization ro

# Allow monitoring access from the entire network


set service snmp community routers network 192.0.2.0/24
set service snmp community routers network 2001::db8:ffff:eeee::/64

# Allow monitoring access from specific addresses


set service snmp community routers client 203.0.113.10
set service snmp community routers client 203.0.113.20

# Define optional router information


set service snmp location "UK, London"
set service snmp contact "[email protected]"

# Trap target if you want asynchronous communication


set service snmp trap-target 203.0.113.10
(continues on next page)

112 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)

# Listen only on specific IP addresses (port defaults to 161)


set service snmp listen-address 172.16.254.36 port 161
set service snmp listen-address 2001:db8::f00::1

12.11.4 SNMPv3

SNMPv3 is an updated version that, among other things, supports encryption and cryptographic authentication of
clients.

Example

set service snmp v3 engineid '0x0aa0d6c6f450'


set service snmp v3 group defaultgroup mode 'ro'
set service snmp v3 group defaultgroup seclevel 'priv'
set service snmp v3 group defaultgroup view 'defaultview'
set service snmp v3 view defaultview oid '1'

set service snmp v3 user testUser1 auth plaintext-key testUserKey1


set service snmp v3 user testUser1 auth type 'md5'
set service snmp v3 user testUser1 engineid '0x0aa0d6c6f450'
set service snmp v3 user testUser1 group 'defaultgroup'
set service snmp v3 user testUser1 mode 'ro'
set service snmp v3 user testUser1 privacy type aes
set service snmp v3 user testUser1 privacy plaintext-key testUserKey1

After commit the resulting configuration will look like:

Note: SNMPv3 keys won’t we stored in plaintext. On commit the keys will be encrypted and the encrypted key is
based on the engineid!

vyos@vyos# show service snmp


v3 {
engineid 0x0aa0d6c6f450
group defaultgroup {
mode ro
seclevel priv
view defaultview
}
user testUser1 {
auth {
encrypted-key 0x3b68d4162c2c817b8e9dfb6f08583e5d
type md5
}
engineid 0x0aa0d6c6f450
group defaultgroup
mode ro
privacy {
encrypted-key 0x3b68d4162c2c817b8e9dfb6f08583e5d
type aes
}
(continues on next page)

12.11. SNMP 113


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


}
view defaultview {
oid 1 {
}
}
}

12.12 SSH

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured
network.[1] The standard TCP port for SSH is 22. The best known example application is for remote login to computer
systems by users.
SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client
application with an SSH server. Common applications include remote command-line login and remote command
execution, but any network service can be secured with SSH. The protocol specification distinguishes between two
major versions, referred to as SSH-1 and SSH-2.
The most visible application of the protocol is for access to shell accounts on Unix-like operating systems, but it sees
some limited use on Windows as well. In 2015, Microsoft announced that they would include native support for SSH
in a future release.
SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rlogin,
rsh, and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them sus-
ceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide
confidentiality and integrity of data over an unsecured network, such as the Internet.

12.12.1 Configuration

Enabling SSH only requires you to add service ssh port NN, where ‘NN’ is the port you want SSH to listen
on. By default, SSH runs on port 22.

set service ssh port 22

Options

• Listening address - Specify the IPv4/IPv6 listening address for connection requests. Multiple
listen-address nodes can be defined.
set service ssh listen-address <address>
• Allow root login, this can be set to allow root logins on SSH connections, however it is not advisable to use
this setting as this bears serious security risks. The default system user posesses all required privileges.
set service ssh allow-root
• Allowed ciphers - A number of allowed ciphers can be specified, use multiple occurances to allow multiple
ciphers.
set service ssh ciphers <cipher>
Available ciphers:
• 3des-cbc

114 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

• aes128-cbc
• aes192-cbc
• aes256-cbc
• aes128-ctr
• aes192-ctr
• aes256-ctr
• arcfour128
• arcfour256
• arcfour
• blowfish-cbc
• cast128-cbc
• Disable password authentication - If SSH key authentication is set up, password-based user authetication can be
disabled. This hardens security!
set service ssh disable-password-authentication
• Disable host validation - Disable the host validation through reverse DNS lookups.
set service ssh disable-host-validation
• MAC algorithms - Specifies the available MAC (message authentication code) algorithms. The MAC algorithm
is used in protocol version 2 for data integrity protection. Multiple algorithms can be entered.
set service ssh macs <macs>
Supported MACs:
• hmac-md5
• hmac-md5-96
• hmac-ripemd160
• hmac-sha1
• hmac-sha1-96
• hmac-sha2-256
• hmac-sha2-512
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

12.12. SSH 115


VyOS Documentation, Release 1.2.0-beta

[email protected]

Key Authentication

It is highly recommended to use SSH Key authentication. By default there is only one user (vyos), and you can assign
any number of keys to that user. You can generate a ssh key with the ssh-keygen command on your local machine,
which will (by default) save it as ~/.ssh/id_rsa.pub which is in three parts:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...VByBD5lKwEWB username@host.
example.com
Only the type (ssh-rsa) and the key (AAAB3N...) are used. Note that the key will usually be several hundred
characters long, and you will need to copy and paste it. Some terminal emulators may accidentally split this over
several lines. Be attentive when you paste it that it only pastes as a single line. The third part is simply an identifier,
and is for your own reference.
Assign SSH Key to user
Under the user (in this example, vyos), add the public key and the type. The identifier is simply a string that is
relevant to you.
set system login user vyos authentication public-keys 'identifier' key "AAAAB3Nz...."
set system login user vyos authentication public-keys 'identifier' type ssh-rsa"

You can assign multiple keys to the same user by changing the identifier. In the following example, both Unicron and
xrobau will be able to SSH into VyOS as the vyos user using their own keys.
set system login user vyos authentication public-keys 'Unicron' key "AAAAB3Nz...."
set system login user vyos authentication public-keys 'Unicron' type ssh-rsa
set system login user vyos authentication public-keys 'xrobau' key "AAAAQ39x...."
set system login user vyos authentication public-keys 'xrobau' type ssh-rsa

12.13 TFTP

Trivial File Transfer Protocol (TFTP) is a simple lockstep File Transfer Protocol which allows a client to get a file
from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area
network. TFTP has been used for this application because it is very simple to implement.

12.13.1 Example

# If you want to enable uploads, else TFTP server will act as read-only (optional)
set service tftp-server allow-upload

# Directory for TFTP server content


set service tftp-server directory '/config/tftpboot'

# On which addresses we want to listen for incoming TFTP connections? (mandatory)


set service tftp-server listen-address '2001:db8:ffee::1'
set service tftp-server listen-address '10.10.1.1'

Note: Choose your directory location carefully or you will loose the content on image upgrades. Any directory
under /config is save at this will be migrated.

116 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

Note: Configuring a listen-address is essential for the service to work.

The resulting configuration will look like:

vyos@vyos# show service


tftp-server {
allow-upload
directory /config/tftpboot
listen-address 2001:db8:ffee::1
listen-address 10.10.1.1
}

12.14 Webproxy

The proxy service in VyOS is based on Squid3 and some related modules.
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web
server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people
sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid
includes limited support for several other protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does
not support the SOCKS protocol.
All examples here assumes that your inside ip address is 192.168.0.1. Replace with your own where applicable.
URL Filtering is provided by Squidguard.

12.14.1 Configuration

# Enable proxy service


set service webproxy listen-address 192.168.0.1

# By default it will listen to port 3128. If you wan't something else you have to
˓→define that.

set service webproxy listen-address 192.168.0.1 port 2050

# By default the transparent proxy on that interface is enabled. To disable that you
˓→simply

set service webproxy listen-address 192.168.0.1 disable-transparent

# Block specific urls


set service webproxy url-filtering squidguard local-block myspace.com

# If you want to you can log these blocks


set service webproxy url-filtering squidguard log local-block

Options

12.14.2 Filtering by category

If you wan’t to use existing blacklists you have to create/download a database first. Otherwise you will not be able to
commit the config changes.

12.14. Webproxy 117


VyOS Documentation, Release 1.2.0-beta

vyos@vyos# commit
[ service webproxy ]
Warning: no blacklists installed
Unknown block-category [ads] for policy [default]

[[service webproxy]] failed


Commit failed

• Download/Update complete blacklist


update webproxy blacklists
• Download/Update partial blacklist
update webproxy blacklists category ads
Use tab completion to get a list of categories.
• To auto update the blacklist files
set service webproxy url-filtering squidguard auto-update update-hour 23
• To configure blocking add the following to the configuration
set service webproxy url-filtering squidguard block-category ads
set service webproxy url-filtering squidguard block-category malware

12.14.3 Authentication

TBD: https://wiki.vyos.net/wiki/Web_proxy_LDAP_authentication

12.14.4 Adjusting cache size

The size of the proxy cache can be adjusted by the user.

set service webproxy cache-size


Possible completions:
<0-4294967295>
Disk cache size in MB (default 100)
0 Disable disk caching
100

12.14.5 Bypassing the webproxy

Some services don’t work correctly when being handled via a web proxy. So sometimes it is useful to bypass a
transparent proxy:
• To bypass the proxy for every request that is directed to a specific destination:
set service webproxy whitelist destination-address 1.2.3.4
set service webproxy whitelist destination-address 4.5.6.0/24
• To bypass the proxy for every request that is coming from a specific source:
set service webproxy whitelist source-address 192.168.1.2
set service webproxy whitelist source-address 192.168.2.0/24

118 Chapter 12. Services


VyOS Documentation, Release 1.2.0-beta

(This can be useful when a called service has many and/or often changing destination addresses - e.g. Netflix.)

12.14. Webproxy 119


VyOS Documentation, Release 1.2.0-beta

120 Chapter 12. Services


CHAPTER 13

System

After a basic system setup by setting up Interface Addresses, VyOS should be ready for further configuration which is
described in this chapter.

13.1 Event Handler

Event handler allows you to execute scripts when a string that matches a regex appears in a text stream (e.g. log file).
It uses “feeds” (output of commands, or a named pipes) and “policies” that define what to execute if a regex is matched.

system
event-handler
feed <name>
description <feed description>
policy <policy name>
source
preset
syslog # Use the syslog logs for feed
custom
command <command to execute> # E.g. "tail -f /var/log/somelogfile"
named-pipe <path to a names pipe>
policy <policy name>
description <policy description>
event <event name>
description <event description>
pattern <regex>
run <command to run>

In this small example a script runs every time a login failed and an interface goes down

vyos@vyos# show system event-handler


feed Syslog {
policy MyPolicy
(continues on next page)

121
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


source {
preset syslog
}
}
policy MyPolicy {
description "Test policy"
event BadThingsHappened {
pattern "authentication failure"
pattern "interface \.* index \d+ .* DOWN.*"
run /config/scripts/email-to-admin
}
}

13.2 Flow Accounting

VyOS supports flow accounting through NetFlow or sFlow.


For both types you need to specify the interfaces for which the data will be collected:

set system flow-accounting interface eth0


set system flow-accounting interface bond3

NetFlow is a protocol originating from Cisco Systems. It works on level3. VyOS supports version 1, 5 and 9
NetFlow v5 example:

set system flow-accounting netflow engine-id 100


set system flow-accounting netflow version 5
set system flow-accounting netflow server 192.168.2.10 port 2055

13.3 Host Information

This section describes the system’s host information and how to configure them, it covers the following topics:
• Host name
• Domain
• IP address
• Default gateway
• Aliases

13.3.1 Host Name

A hostname is the label (name) assigned to a network device (a host) on a network and is used to distinguish one
device from another on specific networks or over the internet.
Set a system host name:

set system host-name <hostname>

122 Chapter 13. System


VyOS Documentation, Release 1.2.0-beta

Note: Only letters, numbers and hyphens are allowed.

Show host name:

show system host-name

Delete host name:

delete system host-name <hostname>

Example: Set system hostname to ‘RT01’:

set system host-name RT01


commit
show system host-name
host-name RT01

13.3.2 Domain Name

A domainname is the label (name) assigned to a computer network and is thus unique!
Set the system’s domain:

set system domain-name <domain>

Note: Only letters, numbers, hyphens and periods are allowed.

Show domain:

show system domain-name

Remove domain name:

set system delete domain-name <domain>

Example: Set system domain to example.com:

set system domain-name example.com


commit
show system domain-name
domain-name example.com

13.3.3 Static host mappings

How to assign IPs to interfaces is described in chapter Interface Addresses. This section shows how to statically map
a system IP to its host name for local (meaning on this VyOS instance) DNS resolution:

set system static-host-mapping host-name <hostname> inet <IP address>

Show static mapping:

13.3. Host Information 123


VyOS Documentation, Release 1.2.0-beta

show system static-host-mapping

Example: Create a static mapping between the system’s hostname RT01 and IP address 10.20.30.41:
set system static-host-mapping host-name RT01 inet 10.20.30.41
commit
show system static-host-mapping
host-name RT01 {
inet 10.20.30.41
}

Aliases

One or more system aliases (static mappings) can be defined:


set system static-host-mapping host-name <hostname> alias <alias>

Show aliases:
show system static-mapping

Delete alias:
delete system static-host-mapping host-name <hostname> alias <alias>

Example: Set alias router1 for system with hostname RT01:


set system static-host-mapping host-name RT01 alias router1
commit
show system static-host-mapping
host-name RT01 {
alias router1
inet 10.20.30.41
}

13.3.4 Default Gateway/Route

In the past (VyOS 1.1.8) used a gateway-address configured in the system tree (set system gateway-address <IP
address>) this is no longer supported and existing configurations are migrated to the new CLI commands.
It is replaced by inserting a static route into the routing table using:
set protocols static route 0.0.0.0/0 next-hop <gateway ip>

Delete default route fomr the system


delete protocols static route 0.0.0.0/0

Show default route:


vyos@vyos$ show ip route 0.0.0.0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
Last update 3d00h23m ago
* 172.16.34.6, via eth1

124 Chapter 13. System


VyOS Documentation, Release 1.2.0-beta

13.4 System Users

The default vyos user account, as well as newly created user accounts, have all capabilities to configure the system. All
accounts have sudo capabilities and therefore can operate as root on the system. Setting the level to admin is optional,
all accounts on the system will have admin privileges.

13.4.1 Creating Login User Accounts

Create user account jsmith and the password mypassword.

set system login user jsmith full-name "Johan Smith"


set system login user jsmith authentication plaintext-password mypassword

The command:

show system login

will show the contents of system login configuration node:

user jsmith {
authentication {
encrypted-password $6$0OQHjuQ8M$AYXVn7jufdfqPrSk4/
˓→XXsDBw99JBtNsETkQKDgVLptXogHA2bU9BWlvViOFPBoFxIi.iqjqrvsQdQ./cfiiPT.

plaintext-password ""
}
full-name "Johan Smith"
level admin
}

13.4.2 SSH Access using Shared Public Keys

The following command will load the public key dev.pub for user jsmith

loadkey jsmith dev.pub

Note: This requires uploading the dev.pub public key to the VyOS router first. As an alternative you can also load the
SSH public key directly from a remote system:

loadkey jsmith scp://[email protected]/home/devuser/.ssh/dev.pub

13.5 Syslog

Per default VyOSs has minimal syslog logging enabled which is stored and rotated locally. Errors will be always
logged to a local file, which includes local7 error messages, emergency messages will be sent to the console, too.
To configure syslog, you need to switch into configuration mode.

13.4. System Users 125


VyOS Documentation, Release 1.2.0-beta

13.5.1 Logging to serial console

The below would log all messages to /dev/console.

set system syslog console facility all level all

Use the [tab] function to display all facilities and levels which can be configured.

vyos@vyos# set system syslog console facility <TAB>


Possible completions:
> all All facilities excluding "mark"
> auth Authentication and authorization
> authpriv Non-system authorization
> cron Cron daemon
> daemon System daemons
> kern Kernel
> lpr Line printer spooler
> mail Mail subsystem
> mark Timestamp
> news USENET subsystem
> protocols depricated will be set to local7
> security depricated will be set to auth
> syslog Authentication and authorization
> user Application processes
> uucp UUCP subsystem
> local0 Local facility 0
> local1 Local facility 1
> local2 Local facility 2
> local3 Local facility 3
> local4 Local facility 4
> local5 Local facility 5
> local6 Local facility 6
> local7 Local facility 7

vyos@vyos# set system syslog console facility all level <TAB>


Possible completions:
emerg Emergency messages
alert Urgent messages
crit Critical messages
err Error messages
warning Warning messages
notice Messages for further investigation
info Informational messages
debug Debug messages
all Log everything

13.5.2 Logging to a custom file

Logging to a custom file, rotation size and the number of rotate files left on the system can be configured.

set system syslog file <FILENAME> facility <FACILITY> level <LEVEL>


set system syslog file <FILENAME> archive file <NUMBER OF FILES>
set system syslog file FILENAME archive size <FILESIZE>

The very same setting can be applied to the global configuration, to modify the defaults for the global logging.

126 Chapter 13. System


VyOS Documentation, Release 1.2.0-beta

13.5.3 Logging to a remote host

Logging to a remote host leaves the local logging configuration intact, it can be configured in parallel. You can log ro
multiple hosts at the same time, using either TCP or UDP. The default is sending the messages via UDP.
UDP

set system syslog host 10.1.1.1 facility all level all


<optional>
set system syslog host 10.1.1.1 facility all protocol udp

TCP

set system syslog host 10.1.1.2 facility all level all


set system syslog host 10.1.1.2 facility all protocol tcp

13.5.4 Logging to a local user account

If logging to a local useraccount is configured, all defined log messages are display on the console if the local user is
logged in, if the user is not logged in, no messages are being displayed.

set system syslog user <LOCAL_USERNAME> facility <FACILITY> level <LEVEL>

13.6 Task scheduler

Task scheduler — allows scheduled task execution. Note that scripts excecuted this way are executed as root user -
this may be dangerous.
Together with Command scripting this can be used for automating configuration.

system
task-scheduler
task <name>
cron-spec <UNIX cron time spec>
executable
arguments <arguments string>
path <path to executable>
interval
<int32>[mhd]

13.6.1 Interval

You are able to set the time as an time interval.

set system task-scheduler task <name> interval <value><suffix>

Sets the task to execute every N minutes, hours, or days. Suffixes:


• m — minutes
• h — hours
• d — days

13.6. Task scheduler 127


VyOS Documentation, Release 1.2.0-beta

If suffix is omitted, minutes are implied.


Or set the execution time in common cron time.

set system task-scheduler task TEST crontab-spec "* * * 1 *"

13.6.2 Example

system
task-scheduler
task mytask
interval 2h
executable
path /config/scripts/mytask
arguments "arg1 arg2 arg3"
task anothertask
cron-spec "* * * 1 *"
executable
path /config/scripts/anothertask

13.7 Config Management

The following changes the number of commit revisions. In the default settings, 20 revisions are stored locally.

set system config-management commit-revisions 50

If you want to save all config changes to a remote destination. Set the commit-archive location. Every time a commit
is successfully the config.boot file will be copied to the defined destinations.

set system config-management commit-archive location 'tftp://10.0.0.2'

Note: the number of revisions don’t effect the commit-archive:

A commit look now like this:

vyos@vyos-R1# commit
Archiving config...
tftp://10.0.0.2 OK
[edit]
vyos@vyos-R1#

The filename has this format: config.boot-hostname.YYYYMMDD_HHMMSS

128 Chapter 13. System


CHAPTER 14

High availability

VRRP (Virtual Redundancy Protocol) provides active/backup redundancy for routers. Every VRRP router has a phys-
ical IP/IPv6 address, and a virtual address. On startup, routers elect the master, and the router with the highest priority
becomes the master and assigns the virtual address to its interface. All routers with lower priorities become backup
routers. The master then starts sending keepalive packets to notify other routers that it’s available. If the master fails
and stops sending keepalive packets, router with the next highest priority becomes the new master and takes over the
virtual address.
VRRP keepalive packets use multicast, and VRRP setups are limited to a single datalink layer segment. You can
setup multiple VRRP groups (also called virtual routers). Virtual routers are identified by a VRID (Virtual Router
IDentifier). If you setup multiple groups on the same interface, their VRIDs must be unique, but it’s possible (even if
not recommended for readability reasons) to use duplicate VRIDs on different interfaces.

14.1 Basic setup

VRRP groups are created with the set high-availability vrrp group $GROUP_NAME commands. The
required parameters are interface, vrid, and virtual-address.
mininmal config

set high-availability vrrp group Foo vrid 10


set high-availability vrrp group Foo interface eth0
set high-availability vrrp group Foo virtual-address 192.0.2.1/24

You can verify your VRRP group status with the operational mode run show vrrp command:

vyos@vyos# run show vrrp


Name Interface VRID State Last Transition
---------- ----------- ------ ------- -----------------
Foo eth1 10 MASTER 2s

129
VyOS Documentation, Release 1.2.0-beta

14.2 IPv6 support

The virtual-address parameter can be either an IPv4 or IPv6 address, but you cannot mix IPv4 and IPv6 in the
same group, and will need to create groups with different VRIDs specially for IPv4 and IPv6.

14.3 Disabling a VRRP group

You can disable a VRRP group with disable option:

set high-availability vrrp group Foo disable

A disabled group will be removed from the VRRP process and your router will not participate in VRRP for that VRID.
It will disappear from operational mode commands output, rather than enter the backup state.

14.4 Setting VRRP group priority

VRRP priority can be set with priority option:

set high-availability vrrp group Foo priority 200

The priority must be an interger number from 1 to 255. Higher priority value increases router’s precedence in the
master elections.

14.5 Preemption

VRRP can use two modes: preemptive and non-preemptive. In the preemptive mode, if a router with a higher priority
fails and then comes back, routers with lower priority will give up their master status. In non-preemptive mode, the
newly elected master will keep the master status and the virtual address indenfinitely.
By default VRRP uses preemption. You can disable it with the “no-preempt” option:

set high-availability vrrp group Foo no-preempt

You can also configure the time interval for preemption with the “preempt-delay” option. For example, to set the
higher priority router to take over in 180 seconds, use:

set high-availability vrrp group Foo preempt-delay 180

14.6 Unicast VRRP

By default VRRP uses multicast packets. If your network does not support multicast for whatever reason, you can
make VRRP use unicast communication instead.

set high-availability vrrp group Foo peer-address 192.0.2.10


set high-availability vrrp group Foo hello-source-address 192.0.2.15

130 Chapter 14. High availability


VyOS Documentation, Release 1.2.0-beta

14.7 Scripting

VRRP functionality can be extended with scripts. VyOS supports two kinds of scripts: health check scripts and
transition scripts. Health check scripts execute custom checks in addition to the master router reachability. Transition
scripts are executed when VRRP state changes from master to backup or fault and vice versa and can be used to enable
or disable certain services, for example.

14.7.1 Health check scripts

This setup will make the VRRP process execute the /config/scripts/vrrp-check.sh script every 60
seconds, and transition the group to the fault state if it fails (i.e. exits with non-zero status) three times:

set high-availability vrrp group Foo health-check script /config/scripts/vrrp-check.sh


set high-availability vrrp group Foo health-check interval 60
set high-availability vrrp group Foo health-check failure-count 3

14.7.2 Transition scripts

Transition scripts can help you implement various fixups, such as starting and stopping services, or even modifying
the VyOS config on VRRP transition. This setup will make the VRRP process execute the /config/scripts/
vrrp-fail.sh with argument Foo when VRRP fails, and the /config/scripts/vrrp-master.sh when
the router becomes the master:

set high-availability vrrp group Foo transition-script backup "/config/scripts/vrrp-


˓→fail.sh Foo"

set high-availability vrrp group Foo transition-script fault "/config/scripts/vrrp-


˓→fail.sh Foo"

set high-availability vrrp group Foo transition-script master "/config/scripts/vrrp-


˓→master.sh Foo"

14.7. Scripting 131


VyOS Documentation, Release 1.2.0-beta

132 Chapter 14. High availability


CHAPTER 15

Clustering

VyOS supports multicast and unicast clustering. Multicast is default and to use the unicast method you can add the
peer directive to the interface with the ip of the other cluster member.
In the example below SSH is clustered between two nodes with the unicast method.

cluster {
dead-interval 20000
group cluster {
auto-failback false
primary vyos
secondary vyos2
service ssh
service 192.168.0.123/24/eth0
}
interface eth0 {
peer 192.168.0.121
}
keepalive-interval 5000
monitor-dead-interval 20000
pre-shared-secret S3cr#t
}

133
VyOS Documentation, Release 1.2.0-beta

134 Chapter 15. Clustering


CHAPTER 16

System Image Management

The VyOS image-based installation is implemented by creating a directory for each image on the storage device
selected during the install process.
The directory structure of the boot device:

/
/boot
/boot/grub
/boot/1.2.0-rolling+201810021347

The image directory contains the system kernel, a compressed image of the root filesystem for the OS, and a directory
for persistent storage, such as configuration.
On boot, the system will extract the OS image into memory and mount the appropriate live-rw sub-directories to
provide persistent storage system configuration.
This process allows for a system to always boot to a known working state, as the OS image is fixed and non-persistent.
It also allows for multiple releases of VyOS to be installed on the same storage device.
The image can be selected manually at boot if needed, but the system will otherwise boot the image configured to be
the default.
The default boot image can be set using the set system image default-boot command in operational mode.
A list of available images can be shown using the show system image command in operational mode.

vyos@vyos:~$ show system image


The system currently has the following image(s) installed:

1: 1.2.0-rolling+201810021347 (default boot)


2: 1.2.0-rolling+201810021217
3: 1.2.0-rolling+201809280337
4: 1.2.0-rolling+201809252218
5: 1.2.0-rolling+201809192034
6: 1.2.0-rolling+201809191744
7: 1.2.0-rolling+201809150337
(continues on next page)

135
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


8: 1.2.0-rolling+201809141130
9: 1.2.0-rolling+201809140949
10: 1.2.0-rolling+201809131722

vyos@vyos:~$

Images no longer needed can be removed using the delete system image command.

16.1 Update VyOS Installation

Finally, new system images can be added using the add system image command. The add image command will extract
the image from the release ISO (either on the local filesystem or remotely if a URL is provided). The image install
process will prompt you to use the current system configuration and SSH security keys, allowing for the new image to
boot using the current configuration.

vyos@vyos:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-1.


˓→2.0-rolling%2B201810030440-amd64.iso

Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-1.


˓→2.0-rolling%2B201810030440-amd64.iso

% Total % Received % Xferd Average Speed Time Time Time Current


Dload Upload Total Spent Left Speed
100 338M 100 338M 0 0 3837k 0 0:01:30 0:01:30 --:--:-- 3929k
ISO download succeeded.
Checking for digital signature file...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (22) The requested URL returned error: 404 Not Found

Unable to fetch digital signature file.


Do you want to continue without signature check? (yes/no) [yes]
Checking MD5 checksums of files on the ISO image...OK.
Done!

What would you like to name this image? [1.2.0-rolling+201810030440]:

OK. This image will be named: 1.2.0-rolling+201810030440


We do not have enough disk space to install this image!
We need 344880 KB, but we only have 17480 KB.
Exiting...

Note: Rolling releases are not GPG signed, only the real release build will have a proper GPG signature.

Note: VyOS configuration is associated to each image, and each image has a unique copy of its configuration. This
is different than a traditional network router where the configuration is shared across all images.

If you need some files from a previous images - take a look inside a /live directory.

136 Chapter 16. System Image Management


CHAPTER 17

Command scripting

VyOS supports executing configuration and operational commands non-interactively from shell scripts.
To include VyOS-specific functions and aliases you need to source /opt/vyatta/etc/functions/
script-template files at the top of your script.
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template

exit

17.1 Run configuration commands

Configuration commands are executed just like from a normal config session.
For example, if you want to disable a BGP peer on VRRP transition to backup:
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template

configure

set protocols bgp 65536 neighbor 192.168.2.1 shutdown

commit

exit

17.2 Run operational commands

Unlike a normal configuration sessions, all operational commands must be prepended with run, even if you haven’t
created a session with configure.

137
VyOS Documentation, Release 1.2.0-beta

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template

run show interfaces

exit

17.3 Other script language

If you want to script the configs in a language other than bash you can have your script output commands and then
source them in a bash script.
Here is a simple example:

#!/usr/bin/env python
print "delete firewall group address-group somehosts"
print "set firewall group address-group somehosts address '1.1.1.1'"
print "set firewall group address-group somehosts address '1.1.1.2'"

#!bin/vbash
source /opt/vyatta/etc/functions/script-template

configure
source <(/config/scripts/setfirewallgroup.py)
commit

17.4 Executing Configuration Scripts

There is a pitfall when working with configuration scripts. It is tempting to call configuration scripts with “sudo” (i.e.,
temporary root permissions), because that’s the common way on most Linux platforms to call system commands.
On VyOS this will cause the following problem: After modifying the configuration via script like this once, it is not
possible to manually modify the config anymore:

sudo ./myscript.sh # Modifies config


configure
set ... # Any configuration parameter

This will result in the following error message: Set failed


If this happens, a reboot is required to be able to edit the config manually again.

To avoid these problems, the proper way is to call a script with the vyattacfg group, e.g., by using the sg (switch
group) command:

sg vyattacfg -c ./myscript.sh

To make sure that a script is not accidentally called without the vyattacfg group, the script can be safeguarded like
this:

138 Chapter 17. Command scripting


VyOS Documentation, Release 1.2.0-beta

if [ "$(id -g -n)" != 'vyattacfg' ] ; then


exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

17.4. Executing Configuration Scripts 139


VyOS Documentation, Release 1.2.0-beta

140 Chapter 17. Command scripting


CHAPTER 18

Appendix A - Troubleshooting

Sometimes things break or don’t work as expected. This section describes several troubleshooting tools provided by
VyOS that can help when something goes wrong.

18.1 Basic Connectivity Verification

Verifying connectivity can be done with the familiar ping and traceroute commands. The options for each are shown
(the options for each command were displayed using the built-in help as described in the Command-Line Interface
section and are omitted from the output here):
vyos@vyos:~$ ping
Possible completions:
<hostname> Send Internet Control Message Protocol (ICMP) echo request
<x.x.x.x>
<h:h:h:h:h:h:h:h>

Several options are available when more extensive troubleshooting is needed:


vyos@vyos:~$ ping 8.8.8.8
Possible completions:
<Enter> Execute the current command
adaptive Ping options
allow-broadcast
audible
bypass-route
count
deadline
flood
interface
interval
mark
no-loopback
numeric
(continues on next page)

141
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


pattern
quiet
record-route
size
timestamp
tos
ttl
verbose

vyos@vyos:~$ traceroute
Possible completions:
<hostname> Track network path to specified node
<x.x.x.x>
<h:h:h:h:h:h:h:h>
ipv4 Track network path to <hostname|IPv4 address>
ipv6 Track network path to <hostname|IPv6 address>

However, another tool, mtr, is available which combines ping and traceroute into a single tool. An example of its
output is shown:

vyos@vyos:~$ mtr 10.62.212.12

My traceroute [v0.85]
vyos (0.0.0.0)
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 10.11.110.4 0.0% 34 0.5 0.5 0.4 0.8 0.1
2. 10.62.255.184 0.0% 34 1.1 1.0 0.9 1.4 0.1
3. 10.62.255.71 0.0% 34 1.4 1.4 1.3 2.0 0.1
4. 10.62.212.12 0.0% 34 1.6 1.6 1.6 1.7 0.0

Note: The output of mtr consumes the screen and will replace your command prompt.

Several options are available for changing the display output. Press h to invoke the built in help system. To quit, just
press q and you’ll be returned to the VyOS command prompt.

18.2 Monitoring

18.2.1 Network Interfaces

It’s possible to monitor network traffic, either at the flow level or protocol level. This can be useful when troubleshoot-
ing a variety of protocols and configurations. The following interface types can be monitored:

vyos@vyos:~$ monitor interfaces


Possible completions:
<Enter> Execute the current command
bonding Monitor a bonding interface
bridge Monitor a bridge interface
ethernet Monitor a ethernet interface
loopback Monitor a loopback interface
(continues on next page)

142 Chapter 18. Appendix A - Troubleshooting


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


openvpn Monitor an openvpn interface
pppoe Monitor pppoe interface
pseudo-ethernet
Monitor a pseudo-ethernet interface
tunnel Monitor a tunnel interface
vrrp Monitor a vrrp interface
vti Monitor a vti interface
wireless Monitor wireless interface

To monitor traffic flows, issue the monitor interfaces <type> <name> flow command, replacing
<type> and <name> with your desired interface type and name, respectively. Output looks like the following:
12.5Kb 25.0Kb 37.5Kb 50.0Kb
˓→ 62.5Kb
??????????????????????????????????????????????????????????????????????????????????????
˓→??????????????

10.11.111.255 => 10.11.110.37 0b


˓→ 0b 0b
<= 624b
˓→749b 749b
10.11.110.29 => 10.62.200.11 0b
˓→198b 198b
<= 0b
˓→356b 356b
255.255.255.255 => 10.11.110.47 0b
˓→ 0b 0b
<= 724b
˓→145b 145b
10.11.111.255 => 10.11.110.47 0b
˓→ 0b 0b
<= 724b
˓→145b 145b
10.11.111.255 => 10.11.110.255 0b
˓→ 0b 0b
<= 680b
˓→136b 136b
??????????????????????????????????????????????????????????????????????????????????????
˓→??????????????

TX: cumm: 26.7KB peak: 40.6Kb rates: 23.2Kb


˓→21.4Kb 21.4Kb
RX: 67.5KB 63.6Kb 54.6Kb
˓→54.0Kb 54.0Kb
TOTAL: 94.2KB 104Kb 77.8Kb
˓→75.4Kb 75.4Kb

Several options are available for changing the display output. Press h to invoke the built in help system. To quit, just
press q and you’ll be returned to the VyOS command prompt.
To monitor interface traffic, issue the monitor interfaces <type> <name> traffic command, replac-
ing <type> and <name> with your desired interface type and name, respectively. This command invokes the familiar
tshark utility and the following options are available:
vyos@vyos:~$ monitor interfaces ethernet eth0 traffic
Possible completions:
<Enter> Execute the current command
detail Monitor detailed traffic for the specified ethernet interface
filter Monitor filtered traffic for the specified ethernet interface
(continues on next page)

18.2. Monitoring 143


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


save Save monitored traffic to a file
unlimited Monitor traffic for the specified ethernet interface

To quit monitoring, press Ctrl-c and you’ll be returned to the VyOS command prompt. The detail keyword provides
verbose output of the traffic seen on the monitored interface. The filter keyword accepts valid PCAP filter expressions,
enclosed in single or double quotes (e.g. “port 25” or “port 161 and udp”). The save keyword allows you to save the
traffic dump to a file. The unlimited keyword is used to specify that an unlimited number of packets can be captured
(by default, 1,000 packets are captured and you’re returned to the VyOS command prompt).

18.2.2 Interface Bandwith

to take a quick view on the used bandwith of an interface use the monitor bandwith command

vyos@vyos:~$ monitor bandwidth interface eth0

show the following:

eth0
˓→ bmon 3.5
Interfaces RX bps pps % TX bps pps %
>eth0 141B 2 272B 1

B (RX Bytes/second)
198.00 .|....|.....................................................
165.00 .|....|.....................................................
132.00 ||..|.|.....................................................
99.00 ||..|.|.....................................................
66.00 |||||||.....................................................
33.00 |||||||.....................................................
1 5 10 15 20 25 30 35 40 45 50 55 60
KiB (TX Bytes/second)
3.67 ......|.....................................................
3.06 ......|.....................................................
2.45 ......|.....................................................
1.84 ......|.....................................................
1.22 ......|.....................................................
0.61 :::::||.....................................................
1 5 10 15 20 25 30 35 40 45 50 55 60

Press d to enable detailed statistics


˓→

Press i to enable additional information


˓→

Wed Apr 3 14:46:59 2019


˓→ Press ? for help

Press d for more detailed informations or i for additional information.


To exit press q and than y

144 Chapter 18. Appendix A - Troubleshooting


VyOS Documentation, Release 1.2.0-beta

18.2.3 Interface performance

To take a look on the network bandwith between two nodes, the monitor bandwidth-test command is used to
run iperf.

vyos@vyos:~$ monitor bandwidth-test


Possible completions:
accept Wait for bandwidth test connections (port TCP/5001)
initiate Initiate a bandwidth test

The accept command open a listen iperf server on TCP Port 5001
The initiate command conncet to this server.

vyos@vyos:~$ monitor bandwidth-test initiate


Possible completions:
<hostname> Initiate a bandwidth test to specified host (port TCP/5001)
<x.x.x.x>
<h:h:h:h:h:h:h:h>

18.3 Clear Command

Sometimes you need to clear counters or statistics to troubleshoot better.


To do this use the clear command in Operational mode.
to clear the console output

vyos@vyos:~$ clear console

to clear interface counters

# clear all interfaces


vyos@vyos:~$ clear interface ethernet counters
# clear specific interface
vyos@vyos:~$ clear interface ehternet eth0 counters

The command follow the same logic as the set command in configuration mode.

# clear all counters of a interface type


vyos@vyos:~$ clear interface <interface_type> counters
# clear counter of a interface in interface_type
vyos@vyos:~$ clear interface <interface_type> <interace_name> counters

to clear counters on firewall rulesets or single rules

vyos@vyos:~$ clear firewall name <ipv4 ruleset name> counters


vyos@vyos:~$ clear firewall name <ipv4 ruleset name> rule <rule#> counters

vyos@vyos:~$ clear firewall ipv6-name <ipv6 ruleset name> counters


vyos@vyos:~$ clear firewall ipv6-name <ipv6 ruleset name> rule <rule#> counters

18.3. Clear Command 145


VyOS Documentation, Release 1.2.0-beta

146 Chapter 18. Appendix A - Troubleshooting


CHAPTER 19

Appendix B - Configuration Examples

19.1 VyOS DMVPN Hub

General infomration can be found in the DMVPN chapter.

19.1.1 Configuration

set interfaces tunnel tun100 address '172.16.253.134/29'


set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 local-ip '11.22.33.44'
set interfaces tunnel tun100 multicast 'enable'
set interfaces tunnel tun100 parameters ip key '1'

set protocols nhrp tunnel tun100 cisco-authentication '<nhrp secret key>'


set protocols nhrp tunnel tun100 holding-time '300'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut

set vpn ipsec esp-group ESP-HUB compression 'disable'


set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'tunnel'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
(continues on next page)

147
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'


set vpn ipsec profile NHRPVPN authentication pre-shared-secret '<secretkey>'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

19.1.2 Cisco IOS Spoke

This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and VyOS 1.1.7 (helium) up to VyOS
1.2 (Crux).
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9,
˓→RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport


Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 12-Sep-14 10:45 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)

Use this configuration on your Cisco device:


crypto pki token default removal timeout 0
crypto keyring DMVPN
pre-shared-key address 1.2.3.4 key <secretkey>
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 30 periodic
crypto isakmp profile DMVPN
keyring DMVPN
match identity address 11.22.33.44 255.255.255.255
!
crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set security-association idle-time 720
set transform-set DMVPN-AES256
!
interface Tunnel10
description Tunnel to DMVPN HUB
ip address 172.16.253.129 255.255.255.248
no ip redirects
ip nhrp authentication <nhrp secret key>
ip nhrp map multicast 11.22.33.44
(continues on next page)

148 Chapter 19. Appendix B - Configuration Examples


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


ip nhrp map 172.16.253.134 11.22.33.44
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 172.16.253.134
ip nhrp registration timeout 75
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 1

19.1. VyOS DMVPN Hub 149


VyOS Documentation, Release 1.2.0-beta

150 Chapter 19. Appendix B - Configuration Examples


CHAPTER 20

Appendix C - Command tree

See the the full Command tree in Operational mode and Configuration mode

20.1 Operational mode

Operational mode allows for commands to perform operational system tasks and view system and service status. After
this is the first view after the login. Please see Command-Line Interface for navigation in the CLI

vyos@vyos:~$ [tab]
Possible completions:
add Add an object to a service
clear Clear system information
clone Clone an object
configure Enter configure mode
connect Establish a connection
copy Copy an object
delete Delete an object
disconnect Take down a connection
force Force an operation
format Format a device
generate Generate an object
install Install a new system
monitor Monitor system information
ping Send IPv4 or IPv6 ICMP (Internet Control Message Protocol) echo
˓→requests

poweroff Poweroff the system


reboot Reboot the system
release Release specified variable
rename Rename an object
renew Renew specified variable
reset Reset a service
restart Restart a service
set Set operational options
(continues on next page)

151
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


show Show system information
telnet Telnet to a node
traceroute Track network path to node
update Update data for a service

20.1.1 Add

raid Add a RAID set element


system Add an item to a system facility

20.1.2 Clear

console Clear screen


firewall Clear firewall statistics
flow-accounting Clear flow accounting
interfaces Clear interface information
ip Clear Internet Protocol (IP) statistics or status
ipv6 Clear Internet Protocol (IPv6) statistics or status
nat Clear network address translation (NAT) tables
policy Clear policy statistics

20.1.3 Clone

The clone command allows you to clone a configuration from a system image to another one, or from the running
config to another system image. To clone the running config to a system image:

clone system config <system-image> from running

To clone from system image A to system image B:

clone system config <system-image-B> from <system-image-A>

20.1.4 Configure

The configure command allows you to enter configuration mode.

vyos@vyos:~$ configure
[edit]
vyos@vyos#

20.1.5 Connect

The connect command allows you to bring up a connection oriented interface, like a pppoe interface.

connect interface <interface>

152 Chapter 20. Appendix C - Command tree


VyOS Documentation, Release 1.2.0-beta

20.1.6 Copy

The copy command allows you to copy a file to your running config or over images.
It can look like this example:

vyos@vyos:~$ copy file [tab]


Possible completions:
http://<user>:<passwd>@<host>/<file>
Copy files from specified source
scp://<user>:<passwd>@<host>/<file>
ftp://<user>:<passwd>@<host>/<file>
tftp://<host>/<file>
1.2.0://config/
1.2.0-rolling+201902251818://config/
1.2.0-rolling+201902201040://config/
1.2.0-rolling+201902080337://config/
1.2.0-H4://config/
running://config/

To copy from file A to file B:

copy <file A> to <file B>

20.1.7 Delete

conntrack Delete Conntrack entries


file Delete files in a particular image
log Delete a log file
raid Remove a RAID set element
system Delete system objects

20.1.8 Disconnect

The disconnect command allows you to take down a connection oriented interface, like a pppoe interface.

disconnect interface <interface>

20.1.9 Force

arp Send gratuitous ARP request or reply


cluster Force a cluster state transition

20.1.10 Format

The format command allows you to format a disk the same way as another one.

format disk <target> like <source>

20.1. Operational mode 153


VyOS Documentation, Release 1.2.0-beta

20.1.11 Generate

openvpn OpenVPN key generation tool


ssh-server-key
Regenerate the host SSH keys and restart the SSH server
tech-support Generate tech-support archive
vpn VPN key generation utility
wireguard wireguard key generation utility

20.1.12 Install

The install command allows you to install the system image on the disk.

install image

20.1.13 Monitor

monitor can be used to continually view what is happening on the router.

bandwidth Monitor interface bandwidth in real time


bandwidth-test
Initiate or wait for bandwidth test
cluster Monitor clustering service
command Monitor an operational mode command (refreshes every 2 seconds)
conntrack-sync
Monitor conntrack-sync
content-inspection
Monitor Content-Inspection
dhcp Monitor Dynamic Host Control Protocol (DHCP)
dns Monitor a Domain Name Service (DNS) daemon
firewall Monitor Firewall
https Monitor the Secure Hypertext Transfer Protocol (HTTPS) service
lldp Monitor Link Layer Discovery Protocol (LLDP) daemon
log Monitor last lines of messages file
nat Monitor network address translation (NAT)
openvpn Monitor OpenVPN
protocol Monitor routing protocols
snmp Monitor Simple Network Management Protocol (SNMP) daemon
stop-all Stop all current background monitoring processes
traceroute Monitor the path to a destination in realtime
traffic Monitor traffic dumps
vpn Monitor VPN
vrrp Monitor Virtual Router Redundancy Protocol (VRRP)
webproxy Monitor Webproxy service

20.1.14 Ping

The ping command allows you to send an ICMP-EchoRequest packet and display the ICMP-EchoReply received.

<hostname> Send Internet Control Message Protocol (ICMP) echo request


<x.x.x.x>
<h:h:h:h:h:h:h:h>

154 Chapter 20. Appendix C - Command tree


VyOS Documentation, Release 1.2.0-beta

20.1.15 Poweroff

The poweroff command allows you to properly shut down the VyOS instance. Without any modifier, the command
is executed immediately.
<Enter> Execute the current command
at Poweroff at a specific time
cancel Cancel a pending poweroff
in Poweroff in X minutes
now Poweroff the system without confirmation

20.1.16 Reboot

The reboot command allows you to properly restart the VyOS instance. Without any modifier, the command is
executed immediately.
<Enter> Execute the current command
at Poweroff at a specific time
cancel Cancel a pending poweroff
in Poweroff in X minutes
now Poweroff the system without confirmation

20.1.17 Release

The release command allows you to release a DHCP or DHCPv6 lease.


vyos@vyos:~$ release dhcp interface <int>
vyos@vyos:~$ release dhcpv6 interface <int>

20.1.18 Rename

The rename command allows you to rename a system image.


rename system image <currentname> <newname>

20.1.19 Renew

The renew command allows you to renew a DHCP or DHCPv6 lease.


vyos@vyos:~$ renew dhcp interface <int>
vyos@vyos:~$ renew dhcpv6 interface <int>

20.1.20 Reset

conntrack Reset all currently tracked connections


conntrack-sync
Reset connection syncing parameters
dns Reset a DNS service state
firewall reset a firewall group
(continues on next page)

20.1. Operational mode 155


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


ip Reset Internet Protocol (IP) parameters
ipv6 Reset Internet Protocol version 6 (IPv6) parameters
nhrp Clear/Purge NHRP entries
openvpn Reset OpenVPN
terminal Reset terminal
vpn Reset Virtual Private Network (VPN) information

20.1.21 Restart

cluster Restart cluster node


conntrack-sync
Restart connection tracking synchronization service
dhcp Restart DHCP processes
dhcpv6 Restart DHCPv6 processes
dns Restart a DNS service
flow-accounting
Restart flow-accounting service
https Restart https server
vpn Restart IPsec VPN
vrrp Restart the VRRP (Virtual Router Redundancy Protocol) process
wan-load-balance
Restart WAN load balancing
webproxy Restart webproxy service

20.1.22 Set

<OPTION> Bash builtin set command


console Control console behaviors
date Set system date and time
system Set system operational parameters
terminal Control terminal behaviors

20.1.23 Show

arp Show Address Resolution Protocol (ARP) information


bridge Show bridging information
cluster Show clustering information
configuration Show available saved configurations
conntrack Show conntrack entries in the conntrack table
conntrack-sync
Show connection syncing information
date Show system time and date
dhcp Show DHCP (Dynamic Host Configuration Protocol) information
dhcpv6 Show DHCPv6 (IPv6 Dynamic Host Configuration Protocol) information
disk Show status of disk device
dns Show DNS information
file Show files for a particular image
firewall Show firewall information
flow-accounting
Show flow accounting statistics
(continues on next page)

156 Chapter 20. Appendix C - Command tree


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


hardware Show system hardware details
history show command history
host Show host information
incoming Show ethernet input-policy information
interfaces Show network interface information
ip Show IPv4 routing information
ipv6 Show IPv6 routing information
license Show VyOS license information
lldp Show lldp
log Show contents of current master log file
login Show current login credentials
monitoring Show currently monitored services
nat Show Network Address Translation (NAT) information
nhrp Show NHRP info
ntp Show peer status of NTP daemon
openvpn Show OpenVPN information
policy Show policy information
poweroff Show scheduled poweroff
pppoe-server show pppoe-server status
queueing Show ethernet queueing information
raid Show statis of RAID set
reboot Show scheduled reboot
remote-config Show remote side config
route-map Show route-map information
snmp Show status of SNMP on localhost
system Show system information
system-integrity
checks the integrity of the system
table Show routing table
tech-support Show consolidated tech-support report (private information removed)
users Show user information
version Show system version information
vpn Show Virtual Private Network (VPN) information
vrrp Show VRRP (Virtual Router Redundancy Protocol) information
wan-load-balance
Show Wide Area Network (WAN) load-balancing information
webproxy Show webproxy information
wireguard Show wireguard properties
zone-policy Show summary of zone policy for a specific zone

20.1.24 Telnet

In the past the telnet command allowed you to connect remotely to another device using the telnet protocol. Telnet
is unencrypted and should not use anymore. But its nice to test if an TCP Port to a host is open.

vyos@vyos:~$ telnet 192.168.1.3 443


Trying 192.168.1.3...
telnet: Unable to connect to remote host: Network is unreachable

vyos@vyos:~$ telnet 192.168.1.4 443


Trying 192.168.1.4...
Connected to 192.168.1.4.
Escape character is '^]'.

20.1. Operational mode 157


VyOS Documentation, Release 1.2.0-beta

20.1.25 Traceroute

The traceroute command allows you to trace the path taken to a particular device.
<hostname> Track network path to specified node
<x.x.x.x>
<h:h:h:h:h:h:h:h>
ipv4 Track network path to <hostname|IPv4 address>
ipv6 Track network path to <hostname|IPv6 address>

20.1.26 Update

dns Update DNS information


webproxy Update webproxy

20.2 Configuration mode

confirm Confirm prior commit-confirm


comment Add comment to this configuration element
commit Commit the current set of changes
commit-confirm Commit the current set of changes with 'confirm' required
compare Compare configuration revisions
copy Copy a configuration element
delete Delete a configuration element
discard Discard uncommitted changes
edit Edit a sub-element
exit Exit from this configuration level
load Load configuration from a file and replace running configuration
loadkey Load user SSH key from a file
merge Load configuration from a file and merge running configuration
rename Rename a configuration element
rollback Rollback to a prior config revision (requires reboot)
run Run an operational-mode command
save Save configuration to a file
set Set the value of a parameter or create a new element
show Show the configuration (default values may be suppressed)

20.2.1 Confirm

The confirm command confirms the prior commit-confirm.

20.2.2 Comment

The comment commands allow you to insert a comment above the current configuration section. The command
cannot be used at the top of the configuration hierarchy, only on subsections. Comments needs to be commited, just
like other config changes.
To add a comment to a section, while being already at the proper section level:
[edit <section>]
vyos@vyos# comment "Type Comment Here"

158 Chapter 20. Appendix C - Command tree


VyOS Documentation, Release 1.2.0-beta

To add a comment directly to a section, from the top or a higher section:

[edit]
vyos@vyos# comment <section> "Type Comment Here"

To remove a comment, add a blank comment to overwrite:

[edit <section>]
vyos@vyos# comment ""

Examples

To add a comment to the “interfaces” section:

[edit]
vyos@vyos# edit interfaces
[edit interfaces]
vyos@vyos# comment "Here is a comment"
[edit interfaces]
vyos@vyos# commit

The comment would then appear like this:

[edit]
vyos@vyos# show
/* Here is a comment */
interfaces {
ethernet eth0 {
[...]

An important thing to note is that since the comment is added on top of the section, it will not appear if the show
<section> command is used. With the above example, the show interfaces command would return starting
after the “interfaces {” line, hiding the comment:

[edit]
vyos@vyos# show interfaces
ethernet eth0 {
[...]

To add a comment to the interfaces section from the top:

[edit]
vyos@vyos# comment interfaces "test"

The comment can be added to any node that already exists, even if it’s multiple levels lower:

[edit]
vyos@vyos# comment interfaces ethernet eth0 vif 222 address "Far down comment"

20.2.3 Commit

The commit command commits the proposed changes to the configuration file. Every changes done in the configu-
ration session is only applied when the configuration is committed. To view the changes that will be applied, use the
show command. To discard the changes without committing, use the discard command. The commit command
doesn’t save the configuration, you need to manually use the save command.

20.2. Configuration mode 159


VyOS Documentation, Release 1.2.0-beta

The confirm keyword can be added, see commit-confirm. A comment can be entered, it will appear in the commit
log.

[edit]
vyos@vyos# commit
Possible completions:
<Enter> Commit working configuration
comment Comment for commit log

20.2.4 Commit-confirm

The commit-confirm command commits the proposed changes to the configuration file and starts a timer. If the
confirm command is not entered before the timer expiration, the configuration will be rolled back and VyOS will
reboot. The default timer value is 10 minutes, but a custom value can be entered.

[edit]
vyos@vyos# commit-confirm
Possible completions:
<Enter> Commit, rollback/reboot in 10 minutes if no confirm
<N> Commit, rollback/reboot in N minutes if no confirm
comment Comment for commit log

20.2.5 Compare

VyOS maintains backups of previous configurations. To compare configuration revisions in configuration mode, use
the compare command:

[edit]
vyos@vyos# compare
Possible completions:
<Enter> Compare working & active configurations
saved Compare working & saved configurations
<N> Compare working with revision N
<N> <M> Compare revision N with M

Revisions:
0 2019-03-20 20:57:22 root by boot-config-loader
1 2019-03-15 20:00:04 root by boot-config-loader
2 2019-03-05 01:58:39 vyos by cli
3 2019-03-05 01:54:59 vyos by cli
4 2019-03-05 01:53:08 vyos by cli
5 2019-03-05 01:52:21 vyos by cli
6 2019-02-24 21:01:24 root by boot-config-loader
7 2019-02-21 22:00:12 vyos by cli
8 2019-02-21 21:56:49 vyos by cli

20.2.6 Copy

The copy command allows you to copy a configuration object.


Copy the configuration entrys from a firewall name WAN rule 1 to rule 2.

160 Chapter 20. Appendix C - Command tree


VyOS Documentation, Release 1.2.0-beta

[edit firewall name WAN]


vyos@vyos# show
rule 1 {
action accept
source {
address 10.1.0.0/24
}
}
[edit firewall name WAN]
vyos@vyos# copy rule 1 to rule 2
[edit firewall name WAN]
vyos@vyos# show
rule 1 {
action accept
source {
address 10.1.0.0/24
}
}
+rule 2 {
+ action accept
+ source {
+ address 10.1.0.0/24
+ }
+}

20.2.7 Delete

The delte command is to delete a configuration entry.


This Example delete the hole service tftp-server section.

delete service tftp-server

20.2.8 Discard

The discard command removes all pending configuration changes.

[edit]
vyos@vyos# discard

Changes have been discarded

20.2.9 Edit

The edit command allows you to navigate down into the configuration tree. To get back to an upper level, use the
up command or use the top command to get back to the upper most level. The [edit] text displays where the user
is located in the configuration tree.

[edit]
vyos@vyos# edit interfaces
[edit interfaces]
vyos@vyos# edit ethernet eth0
[edit interfaces ethernet eth0]

20.2. Configuration mode 161


VyOS Documentation, Release 1.2.0-beta

20.2.10 Exit

The exit command exits the current configuration mode. If the current configuration level isn’t the top-most, then
the configuration level is put back to the top-most level. If the configuration level is at the top-most level, then it
exits the configuration mode and returns to operational mode. The exit command cannot be used if uncommitted
changes exists in the configuration file. To exit with uncommitted changes, you either need to use the exit discard
command or you need to commit the changes before exiting. The exit command doesn’t save the configuration, only
the save command does. A warning will be given when exiting with unsaved changes. Using the exit command in
operational mode will logout the session.
Exiting from a configuration level:
[edit interfaces ethernet eth0]
vyos@vyos# exit
[edit]
vyos@vyos#

Exiting from configuration mode:


[edit]
vyos@vyos# exit
exit
vyos@vyos:~$

Exiting from operational mode:


vyos@vyos:~$ exit
logout

Error message when trying to exit with uncommitted changes:


vyos@vyos# exit
Cannot exit: configuration modified.
Use 'exit discard' to discard the changes and exit.
[edit]
vyos@vyos#

Warning message when exiting with unsaved changes:


[edit]
vyos@vyos# exit
Warning: configuration changes have not been saved.
exit
vyos@vyos:~$

20.2.11 Load

The load command load a configuration from a local or remote file. You have to be use commit to make the change
active
<Enter> Load from system config file
<file> Load from file on local machine
scp://<user>:<passwd>@<host>/<file> Load from file on remote machine
sftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
ftp://<user>:<passwd>@<host>/<file> Load from file on remote machine
http://<host>/<file> Load from file on remote machine
(continues on next page)

162 Chapter 20. Appendix C - Command tree


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


https://<host>/<file> Load from file on remote machine
tftp://<host>/<file> Load from file on remote machine

[edit]
vyos@vyos# load
Loading configuration from '/config/config.boot'...

Load complete. Use 'commit' to make changes active.

20.2.12 Loadkey

Copies the content of a public key to the ~/.ssh/authorized_keys file.

loadkey <username> [tab]

<file> Load from file on local machine


scp://<user>@<host>/<file> Load from file on remote machine
sftp://<user>@<host>/<file> Load from file on remote machine
ftp://<user>@<host>/<file> Load from file on remote machine
http://<host>/<file> Load from file on remote machine
tftp://<host>/<file> Load from file on remote machine

20.2.13 Merge

The merge command merge the config from a local or remote file with the running config.
In the example below exist a default-firewall.config file with some common firewall rules you saved earlier.

[edit]
vyos@vyos# show firewall
Configuration under specified path is empty
[edit]
vyos@vyos# merge default-firewall.config
Loading configuration from '/config/default-firewall.config'...

Merge complete. Use 'commit' to make changes active.


[edit]
vyos@vyos#

vyos@vyos# show firewall


+all-ping enable
+broadcast-ping disable
+config-trap disable
+ipv6-receive-redirects disable
+ipv6-src-route disable
+ip-src-route disable
+log-martians enable
+name WAN {
+ default-action drop
+ rule 1 {
+ action accept
+ source {
+ address 10.1.0.0/24
(continues on next page)

20.2. Configuration mode 163


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


+ }
+ }
+ rule 2 {
+ action accept
+ source {
+ address 10.1.0.0/24
+ }
......

20.2.14 Rename

The rename command allows you to rename or move a configuration object.


See here how to move the configuration entrys from vlanid 3 to 2

[edit interfaces ethernet eth1]


vyos@vyos# show
duplex auto
hw-id 08:00:27:81:c6:59
smp-affinity auto
speed auto
vif 3 {
address 10.4.4.4/32
}
[edit interfaces ethernet eth1]
vyos@vyos# rename vif 3 to vif 2
[edit interfaces ethernet eth1]
vyos@vyos# show
duplex auto
hw-id 08:00:27:81:c6:59
smp-affinity auto
speed auto
+vif 2 {
+ address 10.4.4.4/32
+}
-vif 3 {
- address 10.4.4.4/32
-}
[edit interfaces ethernet eth1]
vyos@vyos#

20.2.15 Rollback

You can rollback configuration using the rollback command, however this command will currently trigger a system
reboot. Use the compare command to verify the configuration you want to rollback to.

vyos@vyos# compare 1
[edit system]
>host-name vyos-1
[edit]
vyos@vyos# rollback 1
Proceed with reboot? [confirm][y]

(continues on next page)

164 Chapter 20. Appendix C - Command tree


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


Broadcast message from root@vyos-1 (pts/0) (Tue Dec 17 21:07:45 2018):

The system is going down for reboot NOW!


[edit]
vyos@vyos#

20.2.16 Run

The run command allows you to execute any operational mode commands without exiting the configuration session.

[edit]
vyos@vyos# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.1.1.1/24 u/u

20.2.17 Save

The save command saves the current configuration to non-volatile storage. VyOS also supports saving and loading
configuration remotely using SCP, FTP, or TFTP.

<Enter> Save to system config file


<file> Save to file on local machine
scp://<user>:<passwd>@<host>/<file> Save to file on remote machine
sftp://<user>:<passwd>@<host>/<file> Save to file on remote machine
ftp://<user>:<passwd>@<host>/<file> Save to file on remote machine
tftp://<host>/<file> Save to file on remote machine

20.2.18 Set

The set command create all configuration entrys

[edit]
vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.1.1

20.2.19 Show

The show command in the configuration mode displays the configuration and show uncommitted changes.
Show the hole config, the address and description of eth1 is moving to vlan 2 if you commit the changes.

[edit]
vyos@vyos# show
interfaces {
dummy dum0 {
address 10.3.3.3/24
}
ethernet eth0 {
address dhcp
(continues on next page)

20.2. Configuration mode 165


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


duplex auto
hw-id 08:00:27:2b:c0:0b
smp-affinity auto
speed auto
}
ethernet eth1 {
- address 10.1.1.1/32
- description "MGMT Interface"
duplex auto
hw-id 08:00:27:81:c6:59
smp-affinity auto
speed auto
+ vif 2 {
+ address 10.1.1.1/32
+ description "MGMT Interface"
+ }
}
loopback lo {
}
}
service {
ssh {
port 22
......

166 Chapter 20. Appendix C - Command tree


CHAPTER 21

Bug Reports and Feature Requests

For Bug Reports and Feature Requests please take a look at Phabricator here:
https://phabricator.vyos.net

21.1 Bug Report

To create a Bugreport use the quick link in the left side under the specific project.
Please think about the next points:

• provide as much information as you can


• which version you use
• what is to do to reproduce the bug

21.2 Feature Request

To send a Feature Request please search in Phabricator if there is already a Feature Request. You can enhance it or if
you don’t find one create a new one by use the quick link in the left side under the specific project.

167
VyOS Documentation, Release 1.2.0-beta

168 Chapter 21. Bug Reports and Feature Requests


CHAPTER 22

Development

The source code is hosted on github under VyOS organization: github.com/vyos


The code is split into git submodules. Submodules is a mechanism for keeping subprojects in separate git repos while
being able to access them from the main project.
VyOS is composed of multiple individual packages, some of them are periodically synced with upstream, so keeping
the whole source under a single repository would be very inconvenient and slow. There is now an ongoing effort to
consolidate all VyOS-specific packages into vyos-1x package, but the basic structure is going to stay the same, just
with fewer submodules.
The repository that contains the ISO build scripts and links to all submodules is vyos-build. The README will guide
you to use the this toplevel repository.

169
VyOS Documentation, Release 1.2.0-beta

170 Chapter 22. Development


CHAPTER 23

VyOS CLI

The bash completion in VyOS is defined in templates. Templates are text files stored in a directory tree, where
directory names define command names, and template files define command behaviour. Befor VyOS 1.2.x this files
were created by hand. After a complex redesing process the new style template are in XML.

XML interface definitions for VyOS come with a RelaxNG schema and are located here vyos-1x
This schema is a slightly modified schema from VyConf alias VyOS 2.0
So VyOS 1.2.x interface definitions will be reusable in Nextgen VyOS Versions with very minimal changes.

The great thing about schemas is not only that people can know the complete grammar for certain, but also that it can
be automatically verified. The scripts/build-command-templates script that converts the XML definitions to old style
templates also verifies them against the schema, so a bad definition will cause the package build to fail. I do agree that
the format is verbose, but there is no other format now that would allow this. Besides, a specialized XML editor can
alleviate the issue with verbosity.

23.1 Example XML File

<?xml version="1.0"?>
<!-- Cron configuration -->
<interfaceDefinition>
<node name="system">
<children>
<node name="task-scheduler">
<properties>
<help>Task scheduler settings</help>
</properties>
<children>
<tagNode name="task" owner="${vyos_conf_scripts_dir}/task_scheduler.py">
<properties>
(continues on next page)

171
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


<help>Scheduled task</help>
<valueHelp>
<format>&lt;string&gt;</format>
<description>Task name</description>
</valueHelp>
<priority>999</priority>
</properties>
<children>
<leafNode name="crontab-spec">
<properties>
<help>UNIX crontab time specification string</help>
</properties>
</leafNode>
<leafNode name="interval">
<properties>
<help>Execution interval</help>
<valueHelp>
<format>&lt;minutes&gt;</format>
<description>Execution interval in minutes</description>
</valueHelp>
<valueHelp>
<format>&lt;minutes&gt;m</format>
<description>Execution interval in minutes</description>
</valueHelp>
<valueHelp>
<format>&lt;hours&gt;h</format>
<description>Execution interval in hours</description>
</valueHelp>
<valueHelp>
<format>&lt;days&gt;d</format>
<description>Execution interval in days</description>
</valueHelp>
<constraint>
<regex>[1-9]([0-9]*)([mhd]{0,1})</regex>
</constraint>
</properties>
</leafNode>
<node name="executable">
<properties>
<help>Executable path and arguments</help>
</properties>
<children>
<leafNode name="path">
<properties>
<help>Path to executable</help>
</properties>
</leafNode>
<leafNode name="arguments">
<properties>
<help>Arguments passed to the executable</help>
</properties>
</leafNode>
</children>
</node>
</children>
</tagNode>
</children>
(continues on next page)

172 Chapter 23. VyOS CLI


VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


</node>
</children>
</node>
</interfaceDefinition>

23.2 Configuration mode command definitions

Command definitions are purely declarative, and cannot contain any logic. All logic for generating config files for
target applications, restarting services and so on is implemented in configuration scripts instead.

23.2.1 Command syntax guidelines

Use of numbers

Use of numbers in command names should be avoided unless a number is a part of a protocol name or similar. Thus,
“protocols ospfv3” is perfectly fine, but something like “server-1” is questionable at best.

23.2.2 Help string guidelines

To ensure uniform look and feel, and improve readability, we should follow a set of guidelines consistently.

Capitalization and punctuation

The first word of every help string must be capitalized. There must not be a period at the end of help strings.
Rationale: this seems to be the unwritten standard in network device CLIs, and a good aesthetic compromise.
Examples:
• Good: “Frobnication algorithm”
• Bad: “frobnication algorithm”
• Bad: “Frobnication algorithm.”
• Horrible: “frobnication algorithm.”

Use of abbreviations and acronyms

Abbreviations and acronyms must be capitalized.


Examples:
• Good: “TCP connection timeout”
• Bad: “tcp connection timeout”
• Horrible: “Tcp connectin timeout”
Acronyms also must be capitalized to visually distinguish them from normal words:
Examples:
• Good: RADIUS (as in remote authentication for dial-in user services)

23.2. Configuration mode command definitions 173


VyOS Documentation, Release 1.2.0-beta

• Bad: radius (unless it’s about the distance between a center of a circle and any of its points)
Some abbreviations are traditionally written in mixed case. Generally, if it contains words “over” or “version”, the
letter should be lowercase. If there’s an accepted spelling (especially if defined by an RFC or another standard), it
must be followed.
Examples:
• Good: PPPoE, IPsec
• Bad: PPPOE, IPSEC
• Bad: pppoe, ipsec

Use of verbs

Verbs should be avoided. If a verb can be omitted, omit it.


Examples:
• Good: “TCP connection timeout”
• Bad: “Set TCP connection timeout”
If a verb is essential, keep it. For example, in the help text of “set system ipv6 disable-forwarding”, “Disable IPv6
forwarding on all interfaces” is a perfectly justified wording.

Prefer infinitives

Verbs, when they are necessary, should be in their infinitive form.


Examples:
• Good: “Disable IPv6 forwarding”
• Bad: “Disables IPv6 forwarding”

174 Chapter 23. VyOS CLI


VyOS Documentation, Release 1.2.0-beta

23.3 Mapping from the old node.def style to the new XML definitions

Old concept/syntax New syntax Notes


mynode/node.def <node name=”mynode”> Leaf nodes (nodes with values) use <leafNode> tag in-
</node> stead
mynode/node.tag , tag: <tagNode
name=”mynode>
</node>
help: My node <properties> <help>My
node</help>
val_help: <format>; some <properties> <value- Do not add angle brackets around the format, they will
string Help> <format> format be inserted automatically
</format> <description>
some string </descrip-
tion>
syntax:expression: pattern <properties> <constraint> <constraintErrorMessage> will be displayed on failure
<regex> . . .
syntax:expression: None Use regex
$VAR(@) in “foo”,
“bar”, “baz”
syntax:expression: exec <properties> <constraint> “${vyos_libexecdir}/validators/foo bar $VAR(@)” will
... <validator> <name be executed, <constraintErrorMessage> will be dis-
=”foo” argument=”bar”> played on failure
syntax:expression: (arith- None External arithmetic validator may be added if there’s de-
metic expression) mand, complex validation is better left to commit-time
scripts
priority: 999 <properties> <prior- Please leave a comment explaining why the priority was
ity>999</priority> chosen (e.g. “after interfaces are configured”)
multi: <properties> <multi/> Only applicable to leaf nodes
allowed: echo foo bar <properties> <comple-
tionHelp> <list> foo bar
</list>
allowed: cli-shell-api <properties> <comple-
listNodes vpn ipsec tionHelp> <path> vpn
esp-group ipsec esp-group </path>
...
allowed: /path/to/script <properties> <com-
pletionHelp> <script>
/path/to/script </script>
...
default: None Move default values to scripts
commit:expression: None All commit time checks should be in the verify() func-
tion of the script
begin:/create:/delete: None All logic should be in the scripts

23.3. Mapping from the old node.def style to the new XML definitions 175
VyOS Documentation, Release 1.2.0-beta

176 Chapter 23. VyOS CLI


CHAPTER 24

Python coding guidelines

The switch to the Python programming language for new code is not merely a change of the language, but a chance to
rethink and improve the programming approach.
Let’s face it: VyOS is full of spaghetti code where logic for reading the VyOS config, generating daemon configs,
and restarting processes is all mixed up. Python (or any other language, for that matter) does not provide automatic
protection from bad design, so we need to also devise design guidelines and follow them to keep the system extensible
and maintainable.

24.1 Configuration script structure and behaviour

import sys

from vyos.config import Config


from vyos.util import ConfigError

def get_config():
vc = Config()
# Convert the VyOS config to an abstract internal representation
config = ...
return config

def verify(config):
# Verify that configuration is valid
if invalid:
raise ConfigError("Descriptive message")
return True

def generate(config):
# Generate daemon configs
pass

(continues on next page)

177
VyOS Documentation, Release 1.2.0-beta

(continued from previous page)


def apply(config):
# Apply the generated configs to the live system
pass

try:
config = get_config()
verify(config)
except ConfigError as e:
print(e)
sys.exit(1)

The get_config() function must convert the VyOS config to an abstract internal representation. No other function is
allowed to call vyos.config.Config object methods directly. The rationale for it is that when config reads are mixed
with other logic, it’s very hard to change the config syntax since you need to weed out every occurence of the old
syntax. If syntax-specific code is confined to a single function, the rest of the code can be left untouched as long as the
internal representation remains compatible.
Another advantage is testability of the code. Mocking the entire config subsystem is hard, while constructing an
internal representation by hand is way simpler.
The verify() function takes an internal representation of the config and checks if it’s valid, otherwise it must raise
VyOSError with an error message that describes the problem and possibly suggests how to fix it. It must not make
any changes to the system. The rationale for it is again testability and, in the future when the config backend is ready
and every script is rewritten in this fashion, ability to execute commit dry run (“commit test” like in JunOS) and abort
commit before making any changes to the system if an error is found in any component.
The generate() function generates config files for system components.
The apply() function applies the generated configuration to the live system. It should use non-disruptive reload
whenever possible. It may execute disruptive operations such as daemon process restart if a particular component
does not support non-disruptive reload, or when the expected service degradation is minimal (for example, in case of
auxillary services such as LLDPd). In case of high impact services such as VPN daemon and routing protocols, when
non-disruptive reload is supported for some but not all types of configuration changes, scripts authors should make
effort to determine if a configuration change can be done in a non-disruptive way and only resort to disruptive restart
if it cannot be avoided.
Unless absolutely necessary, configuration scripts should not modify the active configuration of system components
directly. Whenever at all possible, scripts should generate a configuration file or files that can be applied with a single
command such as reloading a service through systemd/SysV init. Inserting statements one by one is particularly
discouraged, for example, when configuring netfilter rules, saving them to a file and loading it with iptables-restore
should always be preferred to executing iptables directly.
The apply() and generate() functions may raise ConfigError if, for example, the daemon failed to start with the
updated config. It shouldn’t be a substitute for proper config checking in the verify() function. All reasonable effort
should be made to verify that generated configuration is valid and will be accepted by the daemon, including, when
necessary, cross-checks with other VyOS configuration subtrees.
Exceptions, including VyOSError (which is raised by vyos.config.Config on improper config operations, such as trying
to use list_nodes() on a non-tag node) should not be silenced or caught and re-raised as config error. Sure this will
not look pretty on user’s screen, but it will make way better bug reports, and help users (and most VyOS users are IT
professionals) do their own debugging as well.

178 Chapter 24. Python coding guidelines


VyOS Documentation, Release 1.2.0-beta

24.2 Coding guidelines

24.2.1 Language

Python 3 shall be used. How long can we keep Python 2 alive anyway?
No considerations for Python 2 compatibility should be taken.

24.2.2 Formatting

Tabs shall not be used. Every indentation level should be 4 spaces.

24.2.3 Text generation

Template processor should be used for generating config files. Built-in string formatting may be used for simple
line-oriented formats where every line is self-contained, such as iptables rules. Template processor must be used for
structured, multi-line formats such as those used by ISC DHCPd.
The default template processor for VyOS code is jinja2.

24.3 Code policy

When modifying the source code, remember these rules of the legacy elimination campaign:
• No new features in Perl
• No old style command definitions
• No code incompatible with Python3

24.2. Coding guidelines 179

You might also like