- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
All Stories
Jul 28 2023
You skip this warning and delte version number line
// Warning: Do not remove the following line // vyos-config-version: "bgp@4:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-dynamic@1:dns-forwarding@4:firewall@10:flow-accounting@1:https@4:ids@1:interfaces@29:ipoe-server@1:ipsec@12:isis@3:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@2:openconnect@2:ospf@2:policy@5:pppoe-server@6:pptp@2:qos@2:quagga@11:rip@1:rpki@1:salt@1:snmp@3:ssh@2:sstp@4:system@26:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" // Release version: 1.4-rolling-202307090317
I've recently migrated from a PCEngines APU2C4 to a Wyse 5070 with a X520 card, as well as upgrading to VyOS 1.4-rolling-202305081003
After which I was unable to reproduce this issue. Roaming now works fine without the ICMP check.
Jul 27 2023
It is a bug that it’s on by default, see other task. Will be fixed after new firewall refactor is merged.
From the VyOS documentation and https://community.openvpn.net/openvpn/wiki/DataChannelOffload
Then how come conntrack modules are loaded (and there is content in the ruleset "sudo nft -s list ruleset") when I have no firewall rules configured?
CLI adjusted to:
Conntrack should be disabled by default https://vyos.dev/T5080
It is not a bug.
It is the implementation of TACACS authentication https://github.com/vyos/vyos-1x/pull/2038
https://github.com/vyos/vyos-1x/blob/fa07179ae7f1dc07e6ccc1b20d2b81384b6efe07/debian/vyos-1x.postinst#L47-L52
Jul 26 2023
Tested and verified as described in the pull request:
Oh, and the reason for why using chrony instead of ntpsec is?
Why this limit?
Example: I have 5 interfaces and want to let NTP-clients sync to my VyOS device on 3 of them (which is their default gateway on each network).
With this change this wont be possible unless I enable firewall rules or am I missing something here?
Why this limit?
Thanks for testing and submitting PR
Pull request created: https://github.com/vyos/vyos-1x/pull/2112
There is this line in the code https://github.com/vyos/vyos-1x/blob/688755a988e233e221bf920e391e35d5ddc9cb56/src/op_mode/show_ntp.sh#L21
@c-po just added the sudo on a live box to test the changes and I can confirm that fixes it. No auth prompt when doing a load config.
Now I did notice that every time I do a load config it runs that migration script which stops/starts the container which is not ideal.
Jul 25 2023
I can confirm that altering line 21 as suggested fixes this issue.
We probably wan't to load/unload the Kernel Module given what the user want's to do
Out of the blue it seems like "network namespaces" would solve alot of current VRF compatability issues within VyOS:
Workaround until "system name-server" becomes vrf aware seems to be to change context into vrf INTERNET and then do a ping with VRF syntax like so:
I would vote for:
Can you check changing
@jvoss Add the PR, please
Thanks.
Spot on Viacheslav! That absolutely resolved the issue, thanks! I was initially thinking it might have been the key_mangling option. Glad to see there is another option here.
Try to add no_tag_node_value_mangle there https://github.com/vyos/vyos-1x/blob/20b7155f4140f54cf7669256160b6fedd8c1ab7a/src/conf_mode/protocols_static.py#L50
Doing some more digging it turned out that VyOS doesnt support nested routing so the gateway must be reachable (at least IP-address wise) through a physical interface - I have updated the script in the original post to adjust for that (added variable GATEWAY).
@dongjunbo It requires more tests and reviews