VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Project October 2022 Update

Daniil Baturin
Posted 9 Oct, 2022

Hello, community!

 @e added new firewall options, improved NAT66, brought IPv4 network mapping back, and fixed a whole bunch of bugs, and rewrote multiple operational mode commands in the new format. Read on for details!

New features

Support for split-horizon DNS in OpenConnect (T4614)

It's now possible to force AnyConnect/OpenConnect VPN clients to use DNS servers provided by the OpenConnect server for certain domains using this command:

set vpn openconnect network-settings split-dns <domain>
Support for running Telegraf monitoring service in a specific VRF T4617

In many setups, monitoring and management services run in a dedicated VRF, but there was no way to specify VRF in the Telegraf monitoring agent settings. Now there is:

set service monitoring telegraf vrf MyVRF


Added DHCP-option MTU to get values from DHCP-server T4572

By default, all MTU configuration nodes contained a value of 1500. After any change of interface, MTU was back to the default value. But MTU can be set from other sources: dynamically by DHCP client or manually via custom scripts.

Now there is an option to receive the MTU from a DHCP server:

set interfaces ethernet eth0 dhcp-options mtu
NAS-IP-Address RADIUS attribute support for L2TP VPN (T4603)

It's now possible to specify the IP address to use in the NAS-IP-Address RADIUS attribute for L2TP.


set vpn l2tp remote-access authentication mode 'radius'
set vpn l2tp remote-access authentication radius nas-ip-address ''
set vpn l2tp remote-access authentication radius server key 'foo'
set vpn l2tp remote-access client-ip-pool subnet ''


Added ability to set static NAT (one-to-one) in one rule (T538)

VyOS once supported 1-to-1 network address translation for IPv4, but when we first migrated the NAT implementation from iptables to nftables, that functionality was missing in the Linux kernel and from nftables. Thus if someone wanted to map an internal network to an external network of the same size, they'd have to create a rule for every address. That would result in very large configs that are hard to maintain. Now network mapping is supported again — just set both destination address and translation address to network prefixes of the same size.

For example:

set nat static rule 20 destination address ''
set nat static rule 20 inbound-interface 'eth0'
set nat static rule 20 translation address ''

NAT66 (T4598)

Initial support for NAT66 was already covered in previous releases. However, we added more features to it in August per requests from users.

It's now possible to:

  • Exclude traffic from rules.
  • Negate match parameters with the ! sign.
  • Match source and destination prefixes.
  • Match protocols and TCP/UDP ports.


set nat66 destination rule 10 inbound-interface 'eth1'
set nat66 destination rule 10 destination address '2001:db8::1'
set nat66 destination rule 10 source address 'fc00::01'
set nat66 destination rule 10 source port !22
set nat66 destination rule 10 protocol tcp set nat66 destination rule 10 exclude


The more firewall options there are, the easier it is to write a ruleset to match your needs. In August we added quite a few more.

Matching the TCP MSS size  (T4622)

It's now possible to match the proposed TCP MSS size in new TCP connections.


set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 protocol 'tcp'
set firewall name FOO rule 10 tcp flags syn
set firewall name FOO rule 10 tcp mss '1-500'
Matching packet size (T4651)

For example:

set firewall name FOO rule 20 action 'accept'
set firewall name FOO rule 20 packet-length '1500'

GraphQL API for operational mode

We will cover it in a post of its own, but now we'll say — a GraphQL API for operational mode is here and already used in the web GUI prototype that is in progress!

New-style op mode progress

If you missed the post about the new operational mode command implementation approach, make sure to read it! That's the part that makes a GraphQL API for the operational mode effortless and also makes new operational mode scripts much easier to write, since all command-line options and subcommands are automatically generated from function names and argument type annotations.

After T2719 was merged, many op-mode commands were rewritten in the new format.  Among them:

show container
show container network
show container image
show vpn ipsec sa
show openconnect-server sessions
show nat66 <source|destination> rules
show <nat|nat66> translation
show conntrack statistics

However, we also added new commands for monitoring logs for different subsystems:

show monitor log vpn <all|ipsec|l2tp|pptp|sstp>


  • The show vrf correctly handles unconfigured VRF names (T4562)
  •  show system cpu has been broken since July the 30th but now works again (T4581)
  • MACsec now works with cipher AES256-GCM (T4537)
  • Informative error message for trying to sreate two MACsec interfaces with the same source-interface. (T4592)
  • Attempts to use the same interface in pseudo-ethernet in MACsec are correctly detected and prevented (T4630).
  • Static ARP couldn’t be set if another entry was present. Now the new entry is just replacing the old instead of adding one (T4619). Thanks DaniilHarun for the patch!
  • UPnP did not work due to incorrect template option names (T4620)
  • Now UPnP rule IP is a prefix instead of an address (T4611).
  • IPv4 prefix-lists no longer erroneously allow settings rules to IPv6 prefixes (T4641).
  • DMVPN no longer erroneously deletes all tunnels instead of just one in some situations (T1070).
  • Attempts to set OpenConnect listen port to a port already used by another server are detected and preveted (T4597).
  •  restart dhcp relay-agent now correctly restarts the DHCP relay agent instead of the DHCP server (T4601).
  • Fixed BGP neighbor disable-connected-check (T4634). Thanks to Sander Klein for the patch!
  • The VLAN aware bridge was forwarding traffic between member ports, but traffic destined torwards the CPU was dropped. This resulted in a gateway not reachable or DHCP leases that could not be handed out (T4632).
  • Fixed a problem with VRRP transition scripts not working correctly at boot time due to an error that caused them to run before the VyOS config is fully loaded (T4526). Thanks to Sander Klein for the patch!
  • Check SSTP bind port before commit (T4644).
  • The show nat source statistics command works correctly again. (T4645).
  • set system proxy url command now allows hyphens in URLs (T4642).
  • Added a sysctl parameter to ignore the default router obtained from router advertisements when pppoe no-default-route is set (T4648).
  • Fixed wrong descriptions for the RPKI server (T4654).
  • Fixed default action ‘drop’ in  firewall rules (T4653).
  • Fixed the systemctl restart command that used a value from config instead converted to ttyUSBX and moved systemd units from /etc/ to /run/ (T4646).
The post categories: