User Details
- User Since
- Oct 31 2017, 10:47 AM (369 w, 7 m)
Feb 8 2022
Hi @Viacheslav, I guess that, at least for our use cases, PR 9aad6f would allow the expected behavior.
May 29 2019
Hi guys,
Mar 21 2019
Confirmed it's still happening in VyOS 1.2.0 LTS
May 25 2018
Hi, I agree too in that option 2 makes more sense IMHO. It will require more effort regarding migrations, but in the long term it seems better to me.
Mar 12 2018
I agree with @aopdal comments. Regarding the approach on how to handle RAs, probably the most common usecase would be a single VRRP group per interface. For that case, maybe an interface config stating that the interface should only send RAs if the VRRP group on that interface is in Master state could do the trick. As already said, other more complex scenarios (like the one with multiple VRRP groups per interface for load balancing) probably would require state transition scripts (or not relying in RAs).
Feb 16 2018
$ sudo iptables-save # Generated by iptables-save v1.4.21 on Fri Feb 16 12:02:44 2018 *nat :PREROUTING ACCEPT [455:68437] :INPUT ACCEPT [453:68365] :OUTPUT ACCEPT [28690:1721678] :POSTROUTING ACCEPT [28690:1721678] :VYATTA_PRE_DNAT_HOOK - [0:0] :VYATTA_PRE_SNAT_HOOK - [0:0] -A PREROUTING -j VYATTA_PRE_DNAT_HOOK -A PREROUTING -s X.X.128.0/19 -d X.X.169.254/32 -i eth3 -p tcp -m tcp --dport 80 -m comment --comment DST-NAT-5 -j DNAT --to-destination X.X.128.183 -A POSTROUTING -j VYATTA_PRE_SNAT_HOOK -A POSTROUTING -s X.X.128.0/19 ! -d X.X.128.0/19 -o eth1 -m comment --comment SRC-NAT-50 -j MASQUERADE -A VYATTA_PRE_DNAT_HOOK -j RETURN -A VYATTA_PRE_SNAT_HOOK -j RETURN COMMIT # Completed on Fri Feb 16 12:02:44 2018 # Generated by iptables-save v1.4.21 on Fri Feb 16 12:02:44 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :LAN-INBOUND - [0:0] :LOCAL - [0:0] :LOCAL-SYNC - [0:0] :LOCAL_NAS - [0:0] :NAS - [0:0] :VYATTA_FW_IN_HOOK - [0:0] :VYATTA_FW_LOCAL_HOOK - [0:0] :VYATTA_FW_OUT_HOOK - [0:0] :VYATTA_POST_FW_FWD_HOOK - [0:0] :VYATTA_POST_FW_IN_HOOK - [0:0] :VYATTA_POST_FW_OUT_HOOK - [0:0] :VYATTA_PRE_FW_FWD_HOOK - [0:0] :VYATTA_PRE_FW_IN_HOOK - [0:0] :VYATTA_PRE_FW_OUT_HOOK - [0:0] :VYATTA_STATE_POLICY_FWD_HOOK - [0:0] :VYATTA_STATE_POLICY_IN_HOOK - [0:0] :VYATTA_STATE_POLICY_OUT_HOOK - [0:0] :WAN-INBOUND - [0:0] -A INPUT -j VYATTA_PRE_FW_IN_HOOK -A INPUT -j VYATTA_FW_LOCAL_HOOK -A INPUT -j VYATTA_POST_FW_IN_HOOK -A FORWARD -j VYATTA_PRE_FW_FWD_HOOK -A FORWARD -j VYATTA_FW_IN_HOOK -A FORWARD -j VYATTA_FW_OUT_HOOK -A FORWARD -j VYATTA_POST_FW_FWD_HOOK -A OUTPUT -j VYATTA_PRE_FW_OUT_HOOK -A OUTPUT -j VYATTA_POST_FW_OUT_HOOK -A LAN-INBOUND -m comment --comment LAN-INBOUND-1 -m set ! --match-set PUBLIC src -j DROP -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-1015 -m set --match-set PUBLIC src -m tcp --dport 67 -m set --match-set DHCP-SERVERS dst -j RETURN -A LAN-INBOUND -p udp -m comment --comment LAN-INBOUND-1015 -m set --match-set PUBLIC src -m udp --dport 67 -m set --match-set DHCP-SERVERS dst -j RETURN -A LAN-INBOUND -d X.X.136.198/32 -p tcp -m comment --comment LAN-INBOUND-1020 -m set --match-set NAGIOS_PROBES src -m tcp --dport 5667 -j RETURN -A LAN-INBOUND -m comment --comment LAN-INBOUND-1030 -m set --match-set F5-NLB src -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-1200 -m set --match-set PUBLIC src -m iprange --dst-range X.X.131.16-X.X.131.17 -m tcp --dport 88 -j RETURN -A LAN-INBOUND -p udp -m comment --comment LAN-INBOUND-1200 -m set --match-set PUBLIC src -m iprange --dst-range X.X.131.16-X.X.131.17 -m udp --dport 88 -j RETURN -A LAN-INBOUND -m comment --comment LAN-INBOUND-1201 -m set --match-set PUBLIC src -m iprange --dst-range X.X.131.253-X.X.131.254 -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-1220 -m set --match-set DT_SMTP_BLOCKED src -m tcp --dport 25 -j DROP -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2000 -m tcp --dport 22 -m set --match-set G-22-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2001 -m tcp --dport 3389 -m set --match-set G-3389-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2002 -m tcp --dport 80 -m set --match-set G-80-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2003 -m tcp --dport 443 -m set --match-set G-443-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2004 -m tcp --dport 53 -m set --match-set G-53-TCP dst -j RETURN -A LAN-INBOUND -p udp -m comment --comment LAN-INBOUND-2005 -m udp --dport 53 -m set --match-set G-53-UDP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2006 -m tcp --dport 25 -m set --match-set G-25-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2007 -m tcp --dport 143 -m set --match-set G-143-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2008 -m tcp --dport 110 -m set --match-set G-110-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2009 -m tcp --dport 1433 -m set --match-set G-1433-TCP dst -j RETURN -A LAN-INBOUND -p udp -m comment --comment LAN-INBOUND-2010 -m udp --dport 1433 -m set --match-set G-1433-UDP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2011 -m tcp --dport 3306 -m set --match-set G-3306-TCP dst -j RETURN -A LAN-INBOUND -p udp -m comment --comment LAN-INBOUND-2012 -m udp --dport 3306 -m set --match-set G-3306-UDP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2013 -m tcp --dport 20 -m set --match-set G-20-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2014 -m tcp --dport 21 -m set --match-set G-21-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2015 -m tcp --dport 465 -m set --match-set G-465-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2016 -m tcp --dport 587 -m set --match-set G-587-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2017 -m tcp --dport 993 -m set --match-set G-993-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2018 -m tcp --dport 995 -m set --match-set G-995-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2019 -m tcp --dport 8080 -m set --match-set G-8080-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2020 -m tcp --dport 8443 -m set --match-set G-8443-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2021 -m tcp --dport 10000 -m set --match-set G-10000-TCP dst -j RETURN -A LAN-INBOUND -p tcp -m comment --comment LAN-INBOUND-2022 -m tcp --dport 8447 -m set --match-set G-8447-TCP dst -j RETURN -A LAN-INBOUND -m comment --comment LAN-INBOUND-2040 -m set --match-set G-ALL_OPEN dst -j RETURN -A LAN-INBOUND -p icmp -m comment --comment LAN-INBOUND-2050 -m set --match-set G-ICMP dst -j RETURN -A LAN-INBOUND -m comment --comment LAN-INBOUND-2060 -m set --match-set DT_BLOCKED src -j DROP -A LAN-INBOUND -m comment --comment LAN-INBOUND-8000 -m set --match-set PUBLIC src -m set ! --match-set PUBLIC dst -j RETURN -A LAN-INBOUND -m comment --comment "LAN-INBOUND-10000 default-action drop" -j DROP -A LOCAL -d X.X.254.1/32 -p icmp -m comment --comment LOCAL-2 -m set --match-set PUBLIC src -j RETURN -A LOCAL -d X.X.254.1/32 -p tcp -m comment --comment LOCAL-3 -m set --match-set PUBLIC src -m tcp --dport 53 -j RETURN -A LOCAL -d X.X.254.1/32 -p udp -m comment --comment LOCAL-3 -m set --match-set PUBLIC src -m udp --dport 53 -j RETURN -A LOCAL -s X.X.137.28/30 -d X.X.137.28/30 -m comment --comment LOCAL-4 -j RETURN -A LOCAL -m comment --comment LOCAL-10 -m set --match-set LAN_ADDRESSES src -m set --match-set LAN_ADDRESSES dst -j RETURN -A LOCAL -m comment --comment LOCAL-12 -m set --match-set F5-NLB src -j RETURN -A LOCAL -m comment --comment "LOCAL-10000 default-action drop" -j DROP -A LOCAL-SYNC -s X.X.137.28/30 -d X.X.137.28/30 -m comment --comment LOCAL-SYNC-10 -j RETURN -A LOCAL-SYNC -m comment --comment "LOCAL-SYNC-10000 default-action drop" -j DROP -A LOCAL_NAS -m comment --comment "LOCAL_NAS-10000 default-action drop" -j DROP -A NAS -m comment --comment "NAS-10000 default-action drop" -j DROP -A VYATTA_FW_IN_HOOK -i eth1 -j WAN-INBOUND -A VYATTA_FW_IN_HOOK -i eth3 -j LAN-INBOUND -A VYATTA_FW_LOCAL_HOOK -i eth2 -j LOCAL-SYNC -A VYATTA_FW_LOCAL_HOOK -i eth3 -j LOCAL -A VYATTA_POST_FW_FWD_HOOK -j ACCEPT -A VYATTA_POST_FW_IN_HOOK -j ACCEPT -A VYATTA_POST_FW_OUT_HOOK -j ACCEPT -A VYATTA_PRE_FW_FWD_HOOK -j VYATTA_STATE_POLICY_FWD_HOOK -A VYATTA_PRE_FW_FWD_HOOK -j RETURN -A VYATTA_PRE_FW_IN_HOOK -j VYATTA_STATE_POLICY_IN_HOOK -A VYATTA_PRE_FW_IN_HOOK -j RETURN -A VYATTA_PRE_FW_OUT_HOOK -j VYATTA_STATE_POLICY_OUT_HOOK -A VYATTA_PRE_FW_OUT_HOOK -j RETURN -A VYATTA_STATE_POLICY_FWD_HOOK -m state --state INVALID -j DROP -A VYATTA_STATE_POLICY_FWD_HOOK -m state --state ESTABLISHED -j VYATTA_POST_FW_FWD_HOOK -A VYATTA_STATE_POLICY_FWD_HOOK -m state --state RELATED -j VYATTA_POST_FW_FWD_HOOK -A VYATTA_STATE_POLICY_FWD_HOOK -j RETURN -A VYATTA_STATE_POLICY_IN_HOOK -m state --state INVALID -j DROP -A VYATTA_STATE_POLICY_IN_HOOK -m state --state ESTABLISHED -j VYATTA_POST_FW_IN_HOOK -A VYATTA_STATE_POLICY_IN_HOOK -m state --state RELATED -j VYATTA_POST_FW_IN_HOOK -A VYATTA_STATE_POLICY_IN_HOOK -j RETURN -A VYATTA_STATE_POLICY_OUT_HOOK -m state --state INVALID -j DROP -A VYATTA_STATE_POLICY_OUT_HOOK -m state --state ESTABLISHED -j VYATTA_POST_FW_OUT_HOOK -A VYATTA_STATE_POLICY_OUT_HOOK -m state --state RELATED -j VYATTA_POST_FW_OUT_HOOK -A VYATTA_STATE_POLICY_OUT_HOOK -j RETURN -A WAN-INBOUND -m comment --comment WAN-INBOUND-1 -m set --match-set REDES_PUESTOS src -m set --match-set PUBLIC dst -j RETURN -A WAN-INBOUND -m comment --comment WAN-INBOUND-5 -m set --match-set PROBES src -m set --match-set PUBLIC dst -j RETURN -A WAN-INBOUND -s X.X.0.1/32 -d X.X.10.100/32 -p tcp -m comment --comment WAN-INBOUND-25 -m tcp --dport 443 -j RETURN -A WAN-INBOUND -s X.X.136.198/32 -p icmp -m comment --comment WAN-INBOUND-100 -m set --match-set NAGIOS_PROBES dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2000 -m tcp --dport 22 -m set --match-set G-22-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2001 -m tcp --dport 3389 -m set --match-set G-3389-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2002 -m tcp --dport 80 -m set --match-set G-80-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2003 -m tcp --dport 443 -m set --match-set G-443-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2004 -m tcp --dport 53 -m set --match-set G-53-TCP dst -j RETURN -A WAN-INBOUND -p udp -m comment --comment WAN-INBOUND-2005 -m udp --dport 53 -m set --match-set G-53-UDP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2006 -m tcp --dport 25 -m set --match-set G-25-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2007 -m tcp --dport 143 -m set --match-set G-143-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2008 -m tcp --dport 110 -m set --match-set G-110-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2009 -m tcp --dport 1433 -m set --match-set G-1433-TCP dst -j RETURN -A WAN-INBOUND -p udp -m comment --comment WAN-INBOUND-2010 -m udp --dport 1433 -m set --match-set G-1433-UDP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2011 -m tcp --dport 3306 -m set --match-set G-3306-TCP dst -j RETURN -A WAN-INBOUND -p udp -m comment --comment WAN-INBOUND-2012 -m udp --dport 3306 -m set --match-set G-3306-UDP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2013 -m tcp --dport 20 -m set --match-set G-20-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2014 -m tcp --dport 21 -m set --match-set G-21-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2015 -m tcp --dport 465 -m set --match-set G-465-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2016 -m tcp --dport 587 -m set --match-set G-587-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2017 -m tcp --dport 993 -m set --match-set G-993-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2018 -m tcp --dport 995 -m set --match-set G-995-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2019 -m tcp --dport 8080 -m set --match-set G-8080-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2020 -m tcp --dport 8443 -m set --match-set G-8443-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2021 -m tcp --dport 10000 -m set --match-set G-10000-TCP dst -j RETURN -A WAN-INBOUND -p tcp -m comment --comment WAN-INBOUND-2022 -m tcp --dport 8447 -m set --match-set G-8447-TCP dst -j RETURN -A WAN-INBOUND -m comment --comment WAN-INBOUND-2040 -m set --match-set G-ALL_OPEN dst -j RETURN -A WAN-INBOUND -p icmp -m comment --comment WAN-INBOUND-2050 -m set --match-set G-ICMP dst -j RETURN -A WAN-INBOUND -m comment --comment "WAN-INBOUND-10000 default-action drop" -j DROP COMMIT # Completed on Fri Feb 16 12:02:44 2018 # Generated by iptables-save v1.4.21 on Fri Feb 16 12:02:44 2018 *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :FW_CONNTRACK - [0:0] :FW_STATE_POLICY_CONNTRACK - [0:0] :NAT_CONNTRACK - [0:0] :VYATTA_CT_HELPER - [0:0] :VYATTA_CT_IGNORE - [0:0] :VYATTA_CT_OUTPUT_HOOK - [0:0] :VYATTA_CT_PREROUTING_HOOK - [0:0] :VYATTA_CT_TIMEOUT - [0:0] -A PREROUTING -j VYATTA_CT_IGNORE -A PREROUTING -j VYATTA_CT_HELPER -A PREROUTING -j VYATTA_CT_TIMEOUT -A PREROUTING -j VYATTA_CT_PREROUTING_HOOK -A PREROUTING -j NAT_CONNTRACK -A PREROUTING -j FW_CONNTRACK -A PREROUTING -j FW_STATE_POLICY_CONNTRACK -A PREROUTING -j NOTRACK -A OUTPUT -j VYATTA_CT_IGNORE -A OUTPUT -j VYATTA_CT_HELPER -A OUTPUT -j VYATTA_CT_TIMEOUT -A OUTPUT -j VYATTA_CT_OUTPUT_HOOK -A OUTPUT -j NAT_CONNTRACK -A OUTPUT -j FW_CONNTRACK -A OUTPUT -j FW_STATE_POLICY_CONNTRACK -A OUTPUT -j NOTRACK -A FW_CONNTRACK -j RETURN -A FW_STATE_POLICY_CONNTRACK -j ACCEPT -A NAT_CONNTRACK -j ACCEPT -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1536 -j CT --helper tns -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1525 -j CT --helper tns -A VYATTA_CT_HELPER -p tcp -m tcp --dport 1521 -j CT --helper tns -A VYATTA_CT_HELPER -p udp -m udp --dport 111 -j CT --helper rpc -A VYATTA_CT_HELPER -p tcp -m tcp --dport 111 -j CT --helper rpc -A VYATTA_CT_HELPER -j RETURN -A VYATTA_CT_IGNORE -j RETURN -A VYATTA_CT_OUTPUT_HOOK -j RETURN -A VYATTA_CT_PREROUTING_HOOK -j RETURN -A VYATTA_CT_TIMEOUT -j RETURN COMMIT # Completed on Fri Feb 16 12:02:44 2018
Feb 15 2018
Hi, on 999.201801111542 can still be reproduced: