Forgot about the process "vyos-http-api-server". The process must be launched in the required vrf. Otherwise, we get an error: Otherwise, we get an error:
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Dec 23 2021
If anyone actually wants support for source port parameter, feel free to reopen this, but the interface parameter is a no-go. In the meantime, rewriting vyatta-config-mgmt takes precedence.
That's a good idea. What remains in that repo was hardly touched in a decade.
Dec 22 2021
It doesn't matter what you add mobike disable or enable
A possible reason it generates incorrect swanctl.conf for option mobike
@nikeshhajari thanks, I can reproduce it in 1.3:
set interfaces ethernet eth0 address '192.168.122.14/24' set interfaces tunnel tun0 encapsulation 'gre' set interfaces tunnel tun0 multicast 'enable' set interfaces tunnel tun0 parameters ip key '1' set interfaces tunnel tun0 source-address '192.168.122.14' set protocols nhrp tunnel tun0 cisco-authentication 'orange' set protocols nhrp tunnel tun0 holding-time '300' set protocols nhrp tunnel tun0 multicast 'dynamic' set protocols nhrp tunnel tun0 redirect set protocols nhrp tunnel tun0 shortcut set vpn ipsec esp-group ESP-HUB compression 'disable' set vpn ipsec esp-group ESP-HUB lifetime '3600' set vpn ipsec esp-group ESP-HUB mode 'tunnel' set vpn ipsec esp-group ESP-HUB pfs 'dh-group21' set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha256' set vpn ipsec esp-group ESP-HUB proposal 2 encryption 'aes256' set vpn ipsec esp-group ESP-HUB proposal 2 hash 'sha256' set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2' set vpn ipsec ike-group IKE-HUB lifetime '28800' set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '21' set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha256' set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '21' set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes256' set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'PRE_SHARED_KEY' set vpn ipsec profile NHRPVPN bind tunnel 'tun0' set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' commit
Add mobile disable:
set vpn ipsec ike-group IKE-HUB mobike 'disable' commit [ vpn ] Warning: unable to [reload changes to swanctl.conf], received error code 5632
I prefer to rewrite the whole https://github.com/vyos/vyatta-config-mgmt to XML/python
@Viacheslav the only way is by letting it run.
As adviced in the slack I upgraed to differt version, just now it dropped again.
This time it's differtent as the backup still sayes it still the backup node but all traffic to the VRRP address is offline.
A similar bug I see in 1.2 with such configuration:
set service snmp contact 'test' set service snmp listen-address 192.168.122.12 set service snmp location 'test' set service snmp v3 user foo auth encrypted-key '0x2e312e332e362e312e362e332e31302e312e322e34' set service snmp v3 user foo auth type 'sha' set service snmp v3 user foo privacy encrypted-key '0x' set service snmp v3 user foo privacy type 'aes'
end of /etc/snmp/snmpd.conf
# group group usm test
Thank you, problem solved!
Working in latest release:
Duplicate PR:
https://github.com/vyos/vyos-1x/pull/1118
Request revoked
VyOS 1.3.0-epa3 with config below works good:
I personally think the interface part is high-effort, low-gain since you can simply use the address of the interface to the same effect, whereas simply providing an interface will force it to decide which address to use on dual-stack systems. It needs to pick between AF_INET and AF_INET6 when creating the socket before setsockopt()ing SO_BINDTODEVICE; although I think we can get away with doing what socket.create_connection() does. Even then, only the SFTP portion of the code directly uses socket — everything else relies on higher level libraries that only expose address and port options. (Also, using a single parameter for both addresses and interfaces is a bad idea, in my opinion, because it's probably more useful to resolve an FQDN string to an address rather than assume all strings are interfaces. But otherwise, we'd need to find a way to resolve conflict between address and interface parameters.) All in all, I don't think the interface parameter is a good idea at all but we'll see.
All parts completely backported to Equuleus.
I opened a new issue for this: T4090.
Dec 21 2021
@m.korobeinikov Could you re-check it and close if necessary?
@ernstjo Do you have any news regarding this issue or should we close it?
@SrividyaA Could you re-check it?
@daniil can you edit one file?
sudo nano -c +1308 /usr/lib/python3/dist-packages/vyos/ifconfig/interface.py
And replace string:
if not 'redirect' in self._config:
To string:
if not 'redirect' in self._config and not 'traffic_policy' in self._config:
save and reboot the router or just restart vyos-configd
sudo systemctl restart vyos-configd
I think this is the limitation with the Linux interface name, it should not be higher than 16 characters. In you config I see, as an example (bond0.995.130 = 13 chars and additional part .100 = 4) = 17
I know how we can fix it manually, but I'm not sure that it is a good idea.
Accel-PPP supports name changing for created interface by vlan_mon module
[pppoe] vlan-name=e0.%P.%N interface=re:^e0\.\d+\.\d+
you can try to change this manually (edit /run/accel-ppp/pppoe.conf) and restart pppoe-server
@boevering Do you know how to reproduce it?
@Boman I don't see such issue:
vyos@r11-roll# set interfaces bridge br0 enable-vlan [edit] vyos@r11-roll# set interfaces bridge br0 member interface eth2 allowed-vlan 1-4094 [edit] vyos@r11-roll# [edit] vyos@r11-roll# time commit
Confirmed working in 1.3.0 LTS.
I agree, when offloading is enabled, it is necessary to increase MTU for traffic policing.
# show traffic-policy limiter 1G { default { bandwidth 1gbit burst 188kb } }
@daniil Can you share an example of traffic-policy 1G?
There is still another bug:
set nat destination rule 120 destination address '203.0.113.1' set nat destination rule 120 inbound-interface 'eth0' set nat destination rule 120 protocol 'tcp' set nat destination rule 120 translation address '192.0.2.40'
PR https://github.com/vyos/vyos-1x/pull/1114
vyos@r11-roll:~$ show nat destination rules Rule Destination Translation Inbound Interface ---- ----------- ----------- ----------------- 100 port 3389 192.0.2.40 port 80 eth0 vyos@r11-roll:~$
I'm going to do what I suggested.
@adestis thank you. This issue isn't critical. It's more for to improve the design and for convenience of our customers.
You can use /32 to add a host, but we have to have the opportunity to add hosts without masks.
For example, if you need to create a group consisting of 1000 (or more random hosts), it's more convenient to use configuration without masks.
Dec 20 2021
@c-po I will check it!
@UnicronNL can you rechecknon todays rolling image? It behaved differently for me
I set the banners via set system login pre-login 'test' and/or set system login post-login 'test'
and then the banners are set. (and the default is overwritten)
Well deleting the login banner results in the "default" behavior as expected.