Let's not close it now, as we do not fully understand the cause

https://github.com/vyos/vyos-1x/pull/2846

That doesn't seem to insert missing leaf nodes, so I rebuilt the installation by copy/paste of commands from existing VM, and it migrated the routes as expected upon upgrade to 1.4-rc2.

Expecting minimal working config:

set qos policy shaper-hfsc SHAPE bandwidth '400mbit'
set qos policy shaper-hfsc SHAPE class 10 linkshare m2 '200mbit'
set qos policy shaper-hfsc SHAPE class 10 match DST ip destination address '192.0.2.1/32'
set qos policy shaper-hfsc SHAPE default linkshare m2 '111mbit'

See https://vyos.dev/T5958

It causes the issue with no qos config after update (from 1.3.5)
Before migration

set traffic-policy shaper-hfsc SHAPE-10mbit bandwidth '400mbit'
set traffic-policy shaper-hfsc SHAPE-10mbit class 10 linkshare m2 '200mbit'
set traffic-policy shaper-hfsc SHAPE-10mbit class 10 match MARK mark '10'
set traffic-policy shaper-hfsc SHAPE-10mbit default linkshare m2 '200mbit'

Incorrect firewall setting block the communication

We agree not to implement this, at least in the proposed format.
Close it as wontfix.

Waiting for the stable release Release v2.20

In T5947#172846, @kevinrausch wrote:

Well, it didn't start on 1.3.2, so I don't know how the empty leaf nodes could have disappeared over time.

Is there a way to force a full rewrite of the config.boot before attempting upgrades?

I can not reproduce it with the above commands. Even not getting any IP address on the DHCP interface lets ddclient start

Well, it didn't start on 1.3.2, so I don't know how the empty leaf nodes could have disappeared over time.

Your original config looks corrupted.
For example
Loopback entry:

loopback lo

Expected entry:

loopback lo {
}

Sounds good. I'll do some updates and testing to see if I can move the chains to a dedicated inet table for upnp. The IPv6 use case is probably just to use UPnP/NAT-PMP/PCP to open firewall ports but for completion reasons I'll implement it.

So, the problem seems to be with empty leaf nodes missing from my baseline config.

Sounds like a great solution to me, happy to review your PR.

PR: https://github.com/vyos/vyos-1x/pull/2843

Sample config files here: https://github.com/networkupstools/nut/tree/master/conf

I think there are actually two aspects here.

In rVYOSONEXee494c3a1dbfca3457bcaffe89d45971348e4848#958480, @workingagain wrote:

In rVYOSONEXee494c3a1dbfca3457bcaffe89d45971348e4848#958479, @sdev wrote:

Are you able to provide the dhcp config that fails migration? I wasn't able to re-create any migration problem in my tests

set service dhcp-server hostfile-update
set service dhcp-server shared-network-name LAN option name-server '192.168.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 option default-router '192.168.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 option domain-name 'localdomain'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 option name-server '192.168.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 start '192.168.1.9'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 stop '192.168.1.254'

same as whats in the old quickstart guide

Sure. I did some further testing and it looks like this is triggered if the client sends DHCP option 81 (FQDN). To reproduce:

Which user are you expecting? Hows to check from which user container was started?
Any idea for CLI?

@kevinrausch I cannot reproduce it, all works fine.
before update

vyos@r1# run show conf com | match route6
set protocols static interface-route6 2001:db8::/64 next-hop-interface lo
set protocols static table 10 interface-route6 2001:db8::/64 next-hop-interface tun0
set protocols static table 20 interface-route6 2001:db8::/64 next-hop-interface tun1
[edit]
vyos@r1# 
[edit]
vyos@r1# run show version

Performed these steps:

• clean, checkout 1.3.5, build, push to internal web host
• rollback VM to 1.3.2 working baseline
• save vyos132.cfg
• add system image https://removed/vyos-1.3.5-private-amd64.iso
• reboot
• compare 1, no changes to config as expected
• add system image https://cdn.vyos.io/1.4.0-rc1/vyos-1.4.0-rc1-amd64.iso
• reboot
• compare 1, confirm routes dropped per T5947 description
• load vyos132.cfg
• compare 1, observe routes have been migrated as expected, below

1.4.0-rc2 also has opennhrp service stop after vyos startup. Can you please add a 1.4 tag to this issue?

@Daya @trae32566 Is it not the issue anymore?

I'd tag it as wontfix

Domain name was never configured for FRR in our templates

r4# conf t
r4(config)# domainname 
  WORD  This system's domain name
r4(config)#

Seems fixed:
Before reboot:

set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 hw-id '52:54:00:04:33:2b'
set interfaces ethernet eth1 vif 20 address 'dhcp'
set interfaces ethernet eth1 vif 20 disable

Fixed for both VyOS 1.5-rolling-202401140026 and VyOS 1.4.0-rc2

I'm against this implementation. We agree do not use boolean values yes|no enable|disable on|off
It will add more mess than usefulness. Configuring features in 2-3 places is a bad idea!
What will be if I add "ssh server" ? Which port will it see? Does it allow all addresses to ssh? What sense in this rule?
The same goes for VRRP; which addresses will it use? Multicast/unicast?
And there are also questions about priorities and what to do it it is accepted via this feature and dropped by a regular firewall.

@Nova_Logic Describe what exactly you want to do
Policy and firewalling are possible now

vyos@r4# set firewall ipv4 input filter rule 10 inbound-interface name eth1.v10
[edit]
vyos@r4# set policy route foo interface eth1.v10
[edit]
vyos@r4#

Personally I would prefer that the "automagic" firewall ruleset would be done optionally through method described in:

@Viacheslav tested and confirmed fixed in RC2.

@giga1699 it was merged on Dec 12, 2023 https://github.com/vyos/vyos-1x/commit/b149a386400c0f869654ac26b0fee2e7f1bbc282
after building 1.3.5 Built on: Mon 04 Dec 2023 21:36 UTC

Good practise add a set of the commands to reproduce
Thanks

I've done more investigation of this issue today, and I believe I understand the cause.

I've found some time to do some work on a fork of vyos-1x. I have a working patch to 1.5-rolling that does the following:

I am facing same issue here.
In my case, My laptop hostname is cn002472.xxx.com

I lost my legacy LTS access, so I'll have to build 1.3-latest to test that.

I'd be curious if updating to 1.3.5 first, then moving to 1.4 has any impact on this issue. I only say this because I have two separate routers I just upgraded from 1.3.5 that both have the following (after upgrade) which looks to have been correctly migrated:

route6 ::/0 {
    next-hop 2001:db8:3a01:a5::1 {
    }
}
route6 2001:db8:3a01:2::/64 {
    blackhole {
    }
}
route6 2001:db8:3a01:c5::/64 {
    interface bond1.1258 {
    }
}
route6 2001:db8:3a01:fd::/64 {
    interface bond1.1258 {
    }
}
route6 fc00::/7 {
    blackhole {
    }
}
route6 2001:db8:8011:239d::/64 {
    interface bond0.925 {
    }
}

Performed these steps:

• rollback VM to 1.3.2 working baseline
• save vyos132.cfg
• add system image https://cdn.vyos.io/1.4.0-rc1/vyos-1.4.0-rc1-amd64.iso
• reboot
• compare 1, confirm routes dropped per T5947 description
• load vyos132.cfg
• compare 1, observe routes have been migrated as expected, below

I just tested in 1.3.5, and I’m getting the same error.