I made a suggestion in the description. What do you think?

Instead of "deny all" if no allow-clients are configured then localhost is always allowed. Can be handy when using containers and other if needed to sync to localhost for whatever reason (if the use of RTC isnt enough).

What kind of cleanup are you talking about?

This task is regarding to add localhost by default as allowed source to speak to chronyd (the current NTP daemon in VyOS).

I found the issue. I was missing a firewall input rule to allow anything from lo.

With my config chronyd still listens locally on 323:

udp        0      0 192.168.2.253:123       0.0.0.0:*                           20420/chronyd
udp        0      0 127.0.0.1:323           0.0.0.0:*                           20420/chronyd
udp6       0      0 ::1:323                 :::*                                20420/chronyd

It is not, but I do not want to make my NTP internet-facing anyways.

Can you show the output of sudo ls -la /run/chrony?

My VyOS NTP config:

set allow-client address '192.168.0.0/16'
set listen-address '192.168.2.253'
set server time.aws.com pool
set server time.google.com pool

My bad, I don't know how I missed them!

Validated the change on version 1.4-rolling-202308250021.

@c-po is this an S3 bucket policy issue, or do the files not exist?

Any update on this, since it's been more than 2 years since the initial request? This would indeed be very useful for hairpin NAT. It it complicated to implement?

I think this should be re-opened. The solution that is documented does not follow the spirit of hairpin NAT, which is that traffic on port N not actually destined to the inside target should not be redirected.

I confirm this is still an issue in 1.4-rolling-202207250217 trying to download 1.4-rolling-202210150526:

The reason I set an MTU is because I get the following error when unset:

WARNING: RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU

Here is my WG config:

set interfaces wireguard wg2 address 'REDACTED_IPV6/64'
set interfaces wireguard wg2 peer mypeer address 'REDACTED_IPV4'
set interfaces wireguard wg2 peer mypeer allowed-ips '::/0'
set interfaces wireguard wg2 peer mypeer persistent-keepalive '60'
set interfaces wireguard wg2 peer mypeer port '51820'
set interfaces wireguard wg2 peer mypeer public-key 'REDACTED'
set interfaces wireguard wg2 private-key 'REDACTED'
set interfaces wireguard wg2 vrf 'test'

@n.fort source-address is useful especially when more precision is needed. At the moment its use is cumbersome as it does not provide help hint on the addresses assigned to the router, forcing an operator to first list those addresses.

As of 1.4-rolling-202207250217 this is still not resolved.

I can confirm that at least as of version 1.4-rolling-202207250217the op commands have been merged:

vyos@vyos-lab:~$ reset bgp
Possible completions:
  <x.x.x.x>     BGP IPv4/IPv6 neighbor to clear
  <h:h:h:h:h:h:h:h>
  1-4294967295  Reset peers with the AS number
  all           Clear all peers
  external      Reset all external peers
  ipv4          IPv4 Address Family
  ipv6          IPv6 Address Family
  l2vpn         Layer 2 Virtual Private Network Address Family
  peer-group    Reset all members of peer-group
  prefix        Clear bestpath and re-advertise
  vrf           Virtual Routing and Forwarding (VRF)

I tested 1.4-rolling-202207111030 and this seems to be resolved, including showing peers in the help.

@MrXermon Let's say someone is setting up BGP peering and wants to control import or export of prefixes using prefixlist. With your suggestion, how would you deny certain prefixes and accept all others? Can JunOS solve this directly with prefixlist without using route-map?