@mdsmds looks good. I can work with this :) patch

@Ewaldvan, I've sent a screencast-link in email...

On which version was this experienced? Cannot reproduce on 1.1.6, 1.1.7 and 1.2. Could you provide the output of sudo iptables-save? Or sudo iptables -t filter -L -nv (includes packet counters and should show you why your traffic is not hitting your log-rule).

The latest version in the jessie repos is openvpn 2.3.4-5+deb8u1

OpenVPN 2.2.3 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Apr 2 2015 on 1.2.0-beta1.

@jdrews please check out 1.2 beta
this will definitely not happen in 1.1.7
@UnicronNL @dmbaturin what ovpn version now on beta?

@afics OK+Clear+Thanks

@mdsmds Yes, that should work, but if you do that, you force all traffic to be tracked by conntrack, which might not be what you what. Whereas if you apply it only to in on your internal NIC, you don't have to track all traffic, assuming you have multiple (internal) interfaces and you don't NAT all of them.

@afics: or, instead of that rule 10, we can set globally:
set firewall state-policy invalid action drop

Very interesting reading. Yes, I agree with @rpiola, you should add a notice into nat wiki.

I guess we should add this to the user guide.

I enabled the firewall, and it seems that everything is ok... I no longer see untranslated packets on the outside interface...

Yes, that should do the trick.

so, the workaround should be adding
name dropinvalid {

default-action accept
rule 10 {
    action drop
    state {
        invalid enable
    }
}

}

The important part is to discard any packets with conntrack state invalid on the internal interface. What you are seeing occurs because netfilter forwards instead of NATs packages it does not know about. see https://bugzilla.netfilter.org/show_bug.cgi?id=693#c11.

Actually, that router is supposed not to do any filtering.
anyway, it is unclear to me where do you want me to configure the firewall rules: usually the "allow established and related" rule is configured in input on the outside interface of the firewall (in my case, eth0), while I have problems with packets EXITING eth0, and coming from eth1.
I should allow ANY packet coming from eth1 to exit from eth0, with their address translated (otherwise, how can a client pc, connected to eht1, start a NEW connection to the outside world?

Hey @afics, thanks for clarifying!
@rpiola can you retest with proposed configuration changes ?

This is normal behaviour. You need to add a firewall rule to only allow established and related connections and another to drop invalid packets.

I uploaded the two captures.

@rpiola thanks for input!
you can attach files from comment toolbar(cloud with arrow)

@EwaldvanGeffen
can you take a look this
Thanks

Current configuration from a router:

@syncer I've installed this on a VM, will have to give it a few days and report back (the errors didn't get logged straight away previously).

Updating project tags
@paszczus have you solved your issue?
@murmaider do you believe that some workaround for route-map can be found in this case?

Hello @steveglen
can you check our 1.2 beta from here
and tell if you still experiencing issue?
Thanks!

Hello,
changing this to wish list
@dmbaturin can you check out and take decision if this should be implemented or not
Thanks

I think we can choose how to implement it. We can apply it as a default entry in one of the vyos chains or let the user-decide. The advantage with the latter is that both implementations can co-exist for a while. With the former solution I would remove the old implementation to not confuse the user.

Hm, as ipt-netflow is actually a firewall target, it looks like it's configuration logic should be slightly different from pmacct's one.
Looks like there should be some service level config tree, specifying module load parameters, like

@afics thanks, i merged it to this one

Related/duplicate: T33.

I had to disable dkms there
https://github.com/mickvav/ipt-netflow-code
And if anyone is interested - I also have xtables-addons compilable against vyos kernel (it has several interesting firewall features - such as geoip and ipmark) - https://github.com/mickvav/xtables-addons

Well, I have ipt-netflow on self-rebuilt vyos kernel, no problems with performance. But I have no vyos-related scripts for interaction with this module.

These should be gone now.

And some more, on the machine with working config:

Ok, now works, but I've got some strange notices on "show vrrp" :

@dmbaturin @higebu
lets adopt this setting by default
crash consistent backups should be enough for VyOS image level backup use case

I've found examples of people setting accept_unencrypted_mainmode_messages, cisco_unity, ikesa_table_segments, ikesa_table_size, and init_limit_half_open.

The full list of options is available here https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf

abferm, could you work out which other settings would be typically employed w/ a syntax proposal. This way we would implement all at once (saving time).

install_routes sets a default route in table 220. If this happens on both ends of the tunnel you end up with a circular route.
install_virtual_ip attempts to install an address on the local interface for the ip used in the tunnel

https://github.com/vyos/vyatta-cfg-system/commit/b66cc78521db17628efa3dd27766527816c170cc

Makes code simpler and easier to read. Makes kernel a bit smaller (leave out floppy module)
Makes booting a little bit faster.

Why should we remove support for obsolete features, which do not break anything?

@higebu: Thank you we will give it a try.
I think that should be the default setting as long as the problem is not fixed.

Related VMware KB: Snapshot quiescing fails on Linux guests after upgrading to ESXi and VMware Tools 5.1 and 5.5 (2038606)

@adestis @dmbaturin We had an issue like this, and the workaround is here:

In T67#1060, @dmbaturin wrote:

@brona Do you know exact reproducing procedure?
We noticed this problem with Veeam Backup and Replication tool that uses quiescence, but we could never reproduce it simply by making a snapshot of a test VM.

Maybe just bad luck, but 4x create snapshot 4x frozen router (Always on ESXi 5.5)

I think it leads to incompatibilities with other device's default behavior - cisco, for example, exports/imports everything, if another behavior not stated explicitly, AFAIR.

In T67#1060, @dmbaturin wrote:

@brona Do you know exact reproducing procedure?
We noticed this problem with Veeam Backup and Replication tool that uses quiescence, but we could never reproduce it simply by making a snapshot of a test VM.

Also, I can't edit this task sadly, but no way the difficulty is less than an hour... It's pretty involved, open-vm-tools source repo doesn't make it particulary easy to debianize...

@brona Do you know exact reproducing procedure?
We noticed this problem with Veeam Backup and Replication tool that uses quiescence, but we could never reproduce it simply by making a snapshot of a test VM.

@dmbaturin @higebu can we just upgrade tools or it has some dependencies in the kernel?

Ok, basicly the /tmp/keepalived.data format changed. There's no more OPMode.pm#250 in the output and it was replaced by 'Router ID: <n>' which could be used to do find_sync a bit cleaner. It could be in certain cases the multicast source IP is printed out but I'd have to check Keepalived sources to be sure. I could write it that it probes for a value and upon failure won't print out the Source IP or just remove that part all together. Any preferences: TL;DR: implement safer fail-back legacy behavior or YOLO it?

Steel need someone with known working quagga MPLS confgiuration to test. @afics ?

Adding paste
https://phabricator.vyos.net/P7

I sadly only have the one VRRP pair and the other side of this router is an Ubiquiti EdgeRouter Lite running Edge OS (Which doesnt have this problem) :)

In T46#987, @mickvav wrote:

@dmbaturin @syncer should we keep configuration syntax in sync with brocade?

There are no obligations to follow brocade, however for compatibility probably have some sense.

Created pull request - https://github.com/vyos/vyatta-cfg-quagga/pull/9 to track changes, related to this ticket.

@dmbaturin @syncer should we keep configuration syntax in sync with brocade?

B rocade vyatta.

What is vRouter 5600?

Well, looks like pre-alpha is here:

I propose adding support for named extended-community-lists, see T64.

@mickvav On vRouter 5600, it would be like I posted. I vote for adding directly under policy.

@afics I think keyword route is unnecessary in your suggested syntax - we have all options right under "set policy" tree. @syncer , @dmbaturin what will you say?

Well, it's somewhat more complicated than expected, but possible. I'll try do it today, but not 100% sure that I'll have enough time...

@syncer Sure.
@mickvav [1] Docs. What else do you need?

@afics can you collaborate with @mickvav on this issue
Thanks guys!

I think, I can. Need two things - url to docs to check semantics and readyness to test.

Hello, @tsumaru720, can you reproduce it on other system?
Can you post configs?
Thanks

@EwaldvanGeffen please check this out.
Thanks!

Hey @mickvav, can you pick up this?

About systemd there is another point - if you look into systemd default setup (/lib/systemd/system/serial-getty@.service), you can find that it's default setup is rather clever - it takes advantage from agetty's ability to automatically select console baud rate. But current vyos configuration scheme insists on some fixed baud rate. So, we also have options:

1. (simple) Remove speed option or ignore it. + allows usage of upstream systemd configuration
2. Alter systemd configuration to use fixed speed from config.
3. Modify speed to accept list of possible speeds, e.g.

speed "9600[,38400...]"

For the jessie branch, we are likely staying with systemd, so systemd-related code will have to be added anyway.
Whether to remove the inittab-related code or not, not sure. I don't think we should implement both right away, but if we leave some room for extending it to support other init systems, it should be fine I think.

Where is the updated vyatta-quagga packages ?