so you mean that new WLB implementation(on which I assume we're discussing here) would not mark incoming packets/sessions to allow vyos to DNAT/send replies to correct WAN like pfsense for example does?
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Oct 19 2022
Oct 19 2022
a.apostoliuk changed the status of T4704: Allow to set metric (MED) to rtt with rtt,+rtt or -rtt from In progress to Open.
@Nova_Logic I understand your frustration with the old WLB, it is not compatible with policy routes, DNAT, or fwmarks due to the way it's implemented. However WLB or this new implementation are not ingress capable tools. That is, these fill a niche in SMB setups where BGP peering is not possible (due to the use of commodity ISPs), or the cost and/or complexity of operating an IGP or even physically connecting into something like enterprise ethernet, is just completely out of the question. Despite the limitations these setups still need a way to switch over from faulted links quickly and reliably so you don't have an office full of people twiddling there thumbs while the internet is down.
Also it seems, that’s issue appears on 3 or more wans, as I remember it worked with 2 WAN interfaces
The problem is that failover route will not solve multiwan scenarios where you have 2 or more links for incoming traffic, I.e web. Most good infrastructures would have dedicated management uplink, and also multiple WANs for serving client traffic. That approach increases infrastructure security and provide much more cleaner way to define zone policies. But to do that all traffic, especially incoming one must be correctly marked. I’ve tried a lot of ways to configure wlb, but every time vyos had tried to reply from the wrong interface, that’s why I had crated a bug task here
Oct 18 2022
Oct 18 2022
c-po moved T4533: Radius clients don’t have simple permissions from Backport Candidates to Finished on the VyOS 1.4 Sagitta board.
c-po moved T4533: Radius clients don’t have simple permissions from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.3) board.
@tioan , Have you assigned your local-zone to the firewall rule ? Please use the latest version and share the error
syncer changed the status of T725: Cake and FQ-PIE, a subtask of T4284: QoS: rewrite to XML and Python, from Open to In progress.
n.fort changed the status of T2408: DHCP Relay upstream and downstream interfaces from Open to In progress.
Viacheslav changed the status of T4758: Rewrite show dhcp server to vyos.opmode format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, from Open to In progress.
Viacheslav changed the status of T4758: Rewrite show dhcp server to vyos.opmode format from Open to In progress.
Viacheslav closed T4684: Rewrite show ip route by protocol to vyos.opmode format, a subtask of T4564: Root task for rewriting [op-mode] to vyos.opmode format, as Resolved.
Unknown Object (User) added a comment to T4754: Improvement: system login: show configured 2FA OTP key.
njh awarded T3316: Use Kea DHCP(v6) instead of ISC DHCP(v6) a Like token.
PR for VyOS 1.3 https://github.com/vyos/vyatta-cfg-system/pull/187
zsdc reopened T1875: Add the ability to use network address as BGP neighbor (bgp listen range), a subtask of T2174: Rewrite protocol BGP to new XML/Python style, as Backport candidate.
zsdc reopened T1875: Add the ability to use network address as BGP neighbor (bgp listen range) as "Backport candidate".
Tested with next configuration:
vyos@r14:~$ sudo cat /etc/pam.d/common-auth auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so vyos@r14:~$
Viacheslav changed the status of T4714: Delete unused ipset from the filecaps from In progress to Needs testing.
Viacheslav changed the status of T4714: Delete unused ipset from the filecaps from Open to In progress.
Oct 17 2022
Oct 17 2022
Viacheslav updated the task description for T4712: Collaborative Protection Profile cPP for Network Devices root task.
Viacheslav changed the status of T4720: Ability to configure SSH HostKeyAlgorithms, a subtask of T4712: Collaborative Protection Profile cPP for Network Devices root task, from Open to In progress.
Viacheslav changed the status of T4720: Ability to configure SSH HostKeyAlgorithms from Open to In progress.
PR https://github.com/vyos/vyos-1x/pull/1601
set service ssh hostkey-algorithm '[email protected]' set service ssh hostkey-algorithm 'ssh-rsa'
Added more bgpd/ospfd events to the log. The VRF Id seem to be correct. But the events look curious. After session start the interface is first created in vrf default (vrf default, id:0) followed by bgpd/ospfd events, then accel-ppp process moves it to destination vrf (vrf client, id:5) which is follwed by the bgpd/ospfd errors.
Finally, with more or less than 5000 sessions bgpd accidentally becomes unresponsive and utilizes 200% cpu (8 cores are used on VM). Accel-pppd process having all network destinations unreachable also goes unresponsive a bit later.
After that we have to reboot.
l2tp-session-start-stop.log13 KBDownload
@CuBiC3D There is a comment of the commit https://github.com/vyos/vyos-1x/commit/373227e717fac82af5ea8d71e611a3df1c59054e
Unknown Object (User) updated the task description for T4734: Feature Request: openvpn: add OTP 2FA support.
Viacheslav added a project to T4752: ICMP redirects not working / not properly configured: VyOS 1.4 Sagitta.
Cheeze_It changed the status of T4739: ISIS and OSPF segment routing being refactored from Needs testing to Known issue.
I am finding out, it seems OSPF SR doesn't work properly :(
Unknown Object (User) updated the task description for T4754: Improvement: system login: show configured 2FA OTP key.
Unknown Object (User) claimed T4754: Improvement: system login: show configured 2FA OTP key.
Unknown Object (User) created T4754: Improvement: system login: show configured 2FA OTP key.
Unknown Object (User) changed the subtype of T4751: Feature Request: system login: 2FA OTP key generator in VyOS CLI from "Task" to "Enhancement".
Unknown Object (User) added a comment to T4751: Feature Request: system login: 2FA OTP key generator in VyOS CLI.
Oct 16 2022
Oct 16 2022
Here is ISIS segment routing working:
Basically,
all commercial hooks need to be implemented
syncer raised the priority of T3316: Use Kea DHCP(v6) instead of ISC DHCP(v6) from Wishlist to High.
jestabro renamed T4753: Extend automatic generation of schema to query SystemStatus from Extend automatic generation of shcema to query SystemStatus to Extend automatic generation of schema to query SystemStatus.
jestabro updated the task description for T4753: Extend automatic generation of schema to query SystemStatus.
jestabro triaged T4753: Extend automatic generation of schema to query SystemStatus as Normal priority.
I have been thinking about this over the weekend and looked into your failover implementation, there's nothing wrong with it and should serve most peoples needs. That said I am not too good with python so it was more straight forward to start from scratch.
aderouineau added a comment to T4123: checksum file fails to download from AWS S3 in rolling-release.
I confirm this is still an issue in 1.4-rolling-202207250217 trying to download 1.4-rolling-202210150526:
Oct 15 2022
Oct 15 2022
@SrividyaA
The documentation at https://docs.vyos.io/en/latest/configuration/firewall/zone.html currently contains the following regarding local-zone:
Why does the image has to be added manually and can not be pulled from the registry if not locally available?
Unknown Object (User) claimed T4751: Feature Request: system login: 2FA OTP key generator in VyOS CLI.
Unknown Object (User) created T4751: Feature Request: system login: 2FA OTP key generator in VyOS CLI.
Cheeze_It changed the status of T4739: ISIS and OSPF segment routing being refactored from In progress to Needs testing.
Oct 14 2022
Oct 14 2022
Viacheslav changed the status of T4533: Radius clients don’t have simple permissions from Open to Needs testing.
Viacheslav moved T4533: Radius clients don’t have simple permissions from Need Triage to Backport Candidates on the VyOS 1.4 Sagitta board.
jestabro changed Difficulty level from easy to normal on T4749: Use config_dict for conf_mode http-api.py.
@adaker
Could you describe the check/test procedure, how to test that all works as you expected?
Ah, yea that is true.
They are enabled by default.
I mean Linux man https://man7.org/linux/man-pages/man5/sshd_config.5.html
HostKeyAlgorithms
Specifies the host key signature algorithms that the server
offers. The default for this option is:What do you mean by "enable by default"?
The issue is that, right now, we are unable to add these kind of ssh keys because the cli won't let you define the type.
Also, it should be enabled by default (at least in ssh documentation)
Could you check it?