VyOS Networks Blog

Hello, Community!

It is time for a new update! The most important news this time includes FRR upgrade to the latest stable version 8.3, RADIUS QoS attribute support improvements, a default log option for a zone-based firewall, and more. Read on for details!

New features

RADIUS QoS attribute support improvements (T4507)

In BRAS setups, the standard way to tell the router what kind of bandwidth each user is entitled to is to send it in RADIUS attributes. Unfortunately, there's no standard for attribute names and meanings, and every vendor uses different attribute names and dimensions: for one vendor, it may be, for example, "My-Bandwidth: 100" where 100 means 100 kilobit/second, but for another, it's "My-Rate-Limit: 100" where 100 means 100 megabit/second. That makes switching BRAS solutions tricky since the billing system also needs to be reconfigured for the new vendor.

Luckily, BRAS functionality in VyOS is powered by Accel-PPP — a very flexible project that allows you to configure both attribute name and rate multiplier. However, that functionality was missing from our CLI. Now we added commands for it so that you can make it work with any billing setup.

New commands are supported in both PPPoE and IPoE servers. Here's an example for making it work with a billing setup made for Mikrotik:

set service ipoe-server authentication radius rate-limit attribute 'Mikrotik-Rate-Limit'

set service ipoe-server authentication radius rate-limit enable

set service ipoe-server authentication radius rate-limit multiplier '0.001'

set service ipoe-server authentication radius rate-limit vendor 'Miktorik'

Thanks for asking questions about it on our forum — with help from the community it's much easier to spot missing functionality and make VyOS better!

Support for enable-default-log option in the zone-based firewall (T4512)

In earlier VyOS versions, you could enable packet logging in individual firewall rules and rulesets. Still, there was no way for zone-based firewall users to log packets that hit the default action of their zone policy. Now there’s a command to do that: set zone-policy zone <name> enable-default-log.

Thanks to Simon for the patch!

Ability to configure squid ACL safe ports (T4480)

Originally, VyOS web proxy configuration would only allow clients to connect to ports from a hardcoded list (21,70,80,210,280,443,488,591,777,873,1025-65535). Some people, however, may need to allow non-standard ports if their users need to connect to a service running on port 8080, for example.

In Squid, the project that powers our web proxy, there is a configurable option known as a safe ports ACL, but it wasn’t exposed in our CLI. Now, where are the commands for configuring those ACLs.

Configuration:

set service webproxy safe-ports '88'

set service webproxy safe-ports '99'

set service webproxy ssl-safe-ports '8443'

set service webproxy ssl-safe-ports '8080'

set service webproxy listen-address 5.5.5.5

NTP server can be set to listen on specific interfaces now (T4456)

Before this change, it was only possible to make the NTP server listen on a specific address using  set system ntp listen-address command. That was problematic for people who obtain their addresses from DHCP, since there’s no fixed address to specify in that case. Worse yet, on systems with VRFs, NTPd trying to listen on all addresses would fail to bind to them and produce lots of useless log messages about those failures.

Now it’s possible to specify a network interface to listen on. You can set it using this command:

Drop incomplete reset ipv6 bgp command (T4494)

Command reset ipv6 bgp was superseded by reset bgp ipv6. The new style is more in line with the original FRR CLI and adds options that were missing from the reset ipv6 bgp command family, such as support for resetting entire peer groups. That unification also makes it easier to add support for more FRR command options in that family.

Bugfixes

• Added support for IPv6 VTI (T2455)
• The event handler doesn’t incorrectly pass environment variables from wrong events to scripts anymore (T4508).
• Ability to set wildcard record for the authoritative domain (T4378).
• VyOS no longer allows creating VRFs with reserved names (T4527).
• Fixed an issue in DMVPN scripts that prevented a Cisco IOS spoke from connecting to a VyOS hub (T4546).
• Fix migration when icmpv6 type is an integer (T2199).

Software updates

FreeRangeRouting was upgraded to version 8.3, which fixes a few issues and includes multiple new features that we will later integrate in our CLI.

Upcoming 1.3.2 release and the future of snapshots

VyOS 1.3.2 stable release is finally at the door, and we will build its images soon. It includes multiple bug fixes and some feature backports — stay tuned for updates!

We have also removed the old 1.3.x monthly snapshots from the vyos.net website, and we are planning to make new ones before 1.4 release. Some people are concerned about that move, so let me explain our motivation.

First, regarding those snapshots we removed — they were preview images made before the official 1.3.0 release many months ago. They have a lot of unpatched bugs and some vulnerabilities, so it's a mistake to think they were up-to-date and that using them was a good idea.

Second, it's important to understand the role of snapshots. In a time when we didn't have a way to catch many types of bugs other than by manual testing, there was only one way to provide people with images for home/small office/lab use and upcoming release testing — test them by hand. However, our test harness has improved a lot since then, and a broken nightly build is a rare event now.  

So, if you want to test all the latest features in your lab or on a non-critical router, you should use nightly builds. Suppose you want access to the stable releases. In that case, there are multiple ways to obtain them:  build them yourself, receive them in exchange for contributing to VyOS and/or purchase a subscription for your business.