Re: [Vyatta-users] How to use gcc for VC3

[Justin Fletcher]

You'll need to edit /etc/apt/sources.list to point to a Debian repository, then
install using apt-get.

Best,
Justin

On Thu, Mar 20, 2008 at 2:19 AM, piyush sharma <[EMAIL PROTECTED]> wrote:
>
> Hi,
> I am using VC3. I need to compile a package on the Vyatta machine using
> gcc.
> I was not able to find it. Can you please help me out?
>
> Thanks,
> Piyush
> ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Cluster heartbeat / change to ucast?

[Justin Fletcher]

Not yet, but it is one of the enhancements requested in bug 2730
(https://bugzilla.vyatta.com/show_bug.cgi?id=2730).  To keep it a
permanent setting,
you can modify the perl script that generates it; it's
/opt/vyatta/sbin/vyatta-update-cluster.pl
in VC4.

Best,
Justin

On Tue, Mar 4, 2008 at 11:01 AM, Chad Hurley <[EMAIL PROTECTED]> wrote:
> Thanks for the reply. Do you know if it is possible to specify this in
>  the Vyatta configuration so that you don't need to reconfigure it each
>  time? -CH
>
>
>
>  -Original Message-
>  From: [EMAIL PROTECTED]
>  [mailto:[EMAIL PROTECTED] On Behalf Of Justin
>  Fletcher
>  Sent: Tuesday, March 04, 2008 11:16 AM
>  To: [EMAIL PROTECTED]
>  Subject: Re: [Vyatta-users] Cluster heartbeat / change to ucast?
>
>  Yes, you can edit the configuration directly; however, you'll need to
>  modify
>  it again on reboot as it's created from the Vyatta configuration.
>
>  Best,
>  Justin
>
>  On Tue, Mar 4, 2008 at 4:43 AM, Chad Hurley <[EMAIL PROTECTED]> wrote:
>  >
>  >
>  >
>  >
>  > The heartbeat from my Vyatta cluster is creating errors on another
>  cluster
>  > on my network.  I would like to change the default bcast heartbeat to
>  ucast.
>  > Does anyone know if it is save to edit the following file directly
>  without
>  > any adverse affects?
>  >
>  >
>  >
>  > File:
>  >
>  > /etc/ha.d/ha.cf
>  >
>  >
>  >
>  > Current config:
>  >
>  > keepalive 1
>  >
>  > deadtime 4
>  >
>  > warntime 2
>  >
>  > initdead 120
>  >
>  > logfacility daemon
>  >
>  > bcast eth0 eth1
>  >
>  > auto_failback off
>  >
>  > node riv1 riv2
>  >
>  > ping 192.168.5.3 192.168.0.221
>  >
>  > respawn hacluster /usr/lib/heartbeat/ipfail
>  >
>  >
>  >
>  > I would like to replace the bcast line with:
>  >
>  > ucast eth0 192.168.5.5
>  >
>  > ucast eth1 192.168.0.252
>  >
>  >
>  >
>  > Anyone had luck with this type of config?
>  >
>  >
>  >
>  > Thanks,
>  >
>  > Chad
>  >
>  >
>  >
>  >
>  > ___
>  >  Vyatta-users mailing list
>  >  Vyatta-users@mailman.vyatta.com
>  >  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>  >
>  >
>  ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Vyatta-Hackers inactive?

[Justin Fletcher]

It's still active - sometimes no one has a good answer (yet) :-)

The build system for VC4 is a bit complex, and some of the details are still
being worked out; it'll be posted when it's ready to go, which should be any
day now.  After all, you've got to be able to build a project to
contribute to it :-)

Best,
Justin

On Tue, Mar 4, 2008 at 10:47 AM, Venketesan <[EMAIL PROTECTED]> wrote:
> I am sorry if this is an inappropriate alias for the question.
>  I was trying to ask some questions on the build of community edition
>  of vyatta in the Vyatta hackers list as well as the forum. But i did
>  not receive any response. Besides i also did not see any activity in
>  there for the past week.
>  Is the the list\forum inactive or is there some place else i should
>  look.
>
>  Thanks,
>  Venkat
>  ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Cluster heartbeat / change to ucast?

[Justin Fletcher]

Yes, you can edit the configuration directly; however, you'll need to modify
it again on reboot as it's created from the Vyatta configuration.

Best,
Justin

On Tue, Mar 4, 2008 at 4:43 AM, Chad Hurley <[EMAIL PROTECTED]> wrote:
>
>
>
>
> The heartbeat from my Vyatta cluster is creating errors on another cluster
> on my network.  I would like to change the default bcast heartbeat to ucast.
> Does anyone know if it is save to edit the following file directly without
> any adverse affects?
>
>
>
> File:
>
> /etc/ha.d/ha.cf
>
>
>
> Current config:
>
> keepalive 1
>
> deadtime 4
>
> warntime 2
>
> initdead 120
>
> logfacility daemon
>
> bcast eth0 eth1
>
> auto_failback off
>
> node riv1 riv2
>
> ping 192.168.5.3 192.168.0.221
>
> respawn hacluster /usr/lib/heartbeat/ipfail
>
>
>
> I would like to replace the bcast line with:
>
> ucast eth0 192.168.5.5
>
> ucast eth1 192.168.0.252
>
>
>
> Anyone had luck with this type of config?
>
>
>
> Thanks,
>
> Chad
>
>
>
>
> ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Problem sending prefixes to my upstream provider

[Justin Fletcher]

Are all the IPs on the same subnet?

Justin

On Sun, Mar 2, 2008 at 7:12 PM, Poh Yong Hwang <[EMAIL PROTECTED]> wrote:
> Hi,
>
> When I connect a switch on my eth1 and connect a server to it and set an ip
> address, i cannot seem to ping to that ip address and neither can I ping to
> other sites on the server itself. Any idea?
>
> Thanks
>  Yongsan
>
>
>
> On Sat, Mar 1, 2008 at 5:15 AM, Poh Yong Hwang <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > Thanks! It works now!
> >
> > Basically it is really now a simple setup where my eth0 is connected to my
> upstream and my eth1 will eventually be connected to a layer3 switch which
> are able to do IP VLAN and the rest of my servers will be connected to a
> layer2 switch. So will my config works in this case?
> >
> > So the docs talking about Originating a route to eBGP Neighbours where it
> uses static instead of connected is not really correct? Sorry, trying to
> understand the difference between using a static route compared to using a
> connected method.
> >
> > Thanks!
> >
> > Yongsan
> >
> >
> >
> >
> >
> > On Sat, Mar 1, 2008 at 4:35 AM, Aubrey Wells <[EMAIL PROTECTED]>
> wrote:
> >
> > >
> > > Connected means defined directly on an interface on your router. because
> 117.120.0.0/21 is defined directly on a router interface (eth1) your static
> route will never work. A connected route takes preference over a static one.
> because of this, the route is not installed in the routing table so your
> attempt to advertise:
> > >
> > >
> > >
> > >  policy {
> > > policy-statement "BGP_EXPORT" {
> > > term 1 {
> > > from {
> > > protocol: "static"
> > > network4: 117.120.0.0/21
> > > }
> > > then {
> > > action: "accept"
> > > WIll never work. What you should do is change it to look like this:
> > >
> > >
> > >
> > >
> > >
> > >  policy {
> > > policy-statement "BGP_EXPORT" {
> > > term 1 {
> > > from {
> > > protocol: "connected"
> > >
> > > network4: 117.120.0.0/21
> > > }
> > > then {
> > > action: "accept"
> > >
> > >
> > >
> > > And it should work.
> > >
> > >
> > > --
> > > Aubrey Wells
> > > Senior Engineer
> > > Shelton | Johns Technology Group
> > > A Vyatta Ready Partner
> > > www.sheltonjohns.com
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Feb 29, 2008, at 3:31 PM, Poh Yong Hwang wrote:
> > >
> > > Hi,
> > >
> > > Thanks for your advise but could you elaborate more on what do you mean
> by "connected"? Care to give me an example?
> > >
> > > Thanks!
> > >
> > > Yongsan
> > >
> > >
> > > On Fri, Feb 29, 2008 at 9:42 PM, Aubrey Wells <[EMAIL PROTECTED]>
> wrote:
> > >
> > > >
> > > >
> > > > For bgp to advertise a prefix you must have a valid route in your
> local RIB. That static route isn't valid because you're pointing a locally
> connected route to another local route. Since the /21 is a directly
> connected route, get rid of the static route and change your from protocol
> to "connected" and that should work.
> > > >
> > > >
> > > > Aubrey Wells (iPhone)
> > > > Senior EngineerShelton | Johns
> > > >
> > > > www.sheltonjohns.com
> > > >
> > > >
> > > >
> > > >
> > > > On Feb 29, 2008, at 2:53 AM, "Poh Yong Hwang" <[EMAIL PROTECTED]>
> wrote:
> > > >
> > > >
> > > >
> > > >
> > > > Hi,
> > > >
> > > > I have problem sending prefixes to my upstream provider based on the
> docs on Originating route to eBGP neighbours. My prefixes is as follows
> 117.120.0.0/21 and here is my detail configuration:
> > > >
> > > > protocols {
> > > > bgp {
> > > > bgp-id: 203.192.163.146
> > > > local-as: 7595
> > > > import: ""
> > > > export: "BGP_EXPORT"
> > > > peer "203.192.163.145" {
> > > > import: ""
> > > > export: ""
> > > > multihop: 1
> > > > peer-port: 179
> > > > local-port: 179
> > > > local-ip: 203.192.163.146
> > > > as: 10026
> > > > next-hop: 203.192.163.146
> > > > holdtime: 90
> > > > delay-open-time: 0
> > > > client: false
> > > > confederation-member: false
> > > > disable: false
> > > > ipv4-unicast: true
> > > > ipv4-multicast: false
> > > > ipv6-unicast: false
> > > > ipv6-multicast: false
> > > > md5-key: ""
> > > > }
> > > > }
> > > > static {
> > > > disable: false
> > > > route 117.120.0.0/21 {
> > > > next-hop: 203.192.163.146
> > > > metric: 1
> > > > }
> > > > }
> > > > }
> > > > poli

Re: [Vyatta-users] Booting from Live-CD

[Justin Fletcher]

That's a nice idea.  You'll still have to have a default location from
which to start -
which is the challenge of diskless systems :-)

If

On Fri, Feb 29, 2008 at 4:07 PM, Christopher Johnson <[EMAIL PROTECTED]> wrote:
> Thanks for the pointer to /etc/init.d/vyatta-ofr and /etc/default/vyatta.
>
> What I would likely do is have a config file that has the equivalent of a
> "#include" which tries a sequence of locations.
>
> /mnt/usb/config/config.boot, /mnt/flash/config/config.boot,
> /mnt/floppy/config/config.boot,/opt/vyatta/etc/config/config.boot
>
> By adding a simple "Done" or just having the config files overwrite each
> other in reasonable ways, we end up with a live CDROM that can boot on any
> machine yet find a configuration file.
>
> I'm actually going to have to look into a diskless version of Vyatta at some
> point.
>
> Thanks again for the pointers.
>
> Best, -Chris
>
>
>
> On Fri, Feb 29, 2008 at 6:33 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote:
> > That's actually a harder problem - you can do it by changing where the
> system
> > looks for configuration on boot, install to disk and then modify the
> > files to change
> > what's mounted and where the system looks for the configuration, or build
> from
> > scratch and create your own LiveCD with the changes in it.
> >
> > In VC4, look in /etc/init.d/vyatta-ofr, /etc/default/vyatta, and
> > /etc/default/vyatta-cfg.
> >
> > If you make the changes that let the system find the configuration on
> > a flash drive,
> > be sure to submit them back to the hackers list (or should that be
> > forum??) for inclusion
> > for others as well :-)
> >
> > Best,
> > Justin
> >
> >
> >
> >
> > On Tue, Feb 26, 2008 at 9:23 PM, Christopher Johnson <[EMAIL PROTECTED]>
> wrote:
> > > Is there anyway, other than floppy disk, to have the OFR get a
> configuration
> > > file on boot from CDROM?  I'd love for it to be able to read from a USB
> > > thumb drive, load it from a TFTP site (use the standard boot methods to
> do
> > > so) or in anyway to get a configuration file into the system with out me
> > > being at the console.
> > >
> > > This is glendale VC4, Alpha 1, soon to be Alpha 2.
> > >
> > > Best,
> > > -Chris
> > > P.S. I did try load of an URL, and it died.
> > >
> > >
> > > ___
> > >  Vyatta-users mailing list
> > >  Vyatta-users@mailman.vyatta.com
> > >  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > >
> > >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
>
>
> ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Booting from Live-CD

[Justin Fletcher]

That's actually a harder problem - you can do it by changing where the system
looks for configuration on boot, install to disk and then modify the
files to change
what's mounted and where the system looks for the configuration, or build from
scratch and create your own LiveCD with the changes in it.

In VC4, look in /etc/init.d/vyatta-ofr, /etc/default/vyatta, and
/etc/default/vyatta-cfg.

If you make the changes that let the system find the configuration on
a flash drive,
be sure to submit them back to the hackers list (or should that be
forum??) for inclusion
for others as well :-)

Best,
Justin

On Tue, Feb 26, 2008 at 9:23 PM, Christopher Johnson <[EMAIL PROTECTED]> wrote:
> Is there anyway, other than floppy disk, to have the OFR get a configuration
> file on boot from CDROM?  I'd love for it to be able to read from a USB
> thumb drive, load it from a TFTP site (use the standard boot methods to do
> so) or in anyway to get a configuration file into the system with out me
> being at the console.
>
> This is glendale VC4, Alpha 1, soon to be Alpha 2.
>
> Best,
> -Chris
> P.S. I did try load of an URL, and it died.
>
>
> ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Problem sending prefixes to my upstream provider

[Justin Fletcher]

On Fri, Feb 29, 2008 at 1:15 PM, Poh Yong Hwang <[EMAIL PROTECTED]> wrote:
> So the docs talking about Originating a route to eBGP Neighbours where it
> uses static instead of connected is not really correct? Sorry, trying to
> understand the difference between using a static route compared to using a
> connected method.

Think of a connected route as one that's exists because you've defined an
interface, and you're connected to that network.  And interface of
192.168.2.3/24
with have a connected route of 192.168.2.0/24.

A static route is one you define that's for a network that's remote to
the router.

Justin
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Glendale Alpha 1 ERROR!!!

[Justin Fletcher]

However, make sure it's not already filed before you do - this was bug 2478 :-)

https://bugzilla.vyatta.com/show_bug.cgi?id=2478

Justin

On Thu, Feb 28, 2008 at 10:42 AM, Dave Roberts <[EMAIL PROTECTED]> wrote:
>
>
> File it for the bug bounty contest! ;-)
>
>
> You are absolutely correct.  Therefore the bug is:  telnet is not properly
> mapped.  *GRIN*
>
> Thanks for your help Stig.
>
> Best,
> -Chris
>
> ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] vrrp issues on VC3

[Justin Fletcher]

Some systems have issues with the virtual MAC addresses - try the
option to disable it.

Best,
Justin

On Mon, Feb 25, 2008 at 8:35 AM, Tobias Orlamuende
<[EMAIL PROTECTED]> wrote:
> Ken,
>
>  You might have seen the vrrp priority of 150 for eth2 on R2 which was
>  just a test and replaced with 20 since a few days, but the problem still
>  exists.
>
>  Anyone else? ;-)
>
>  Cheers
>  Tobias
>
>  Ken Rozinsky schrieb:
>
>
> > Hello,
>  >
>  > I'm in no way an expert but it looks to me like the priority on both
>  > your eth2 interfaces are set at 150.
>  > setting the second to 20 might fix it for you.
>  >
>  > Regards,
>  > Ken
>  >
>  >
>  >
>  > Tobias Orlamuende wrote:
>  >> Yes, all interfaces are GBit, but connected to a 100 MBit/s switch.
>  >> Interfaces are Intel 82571EB and 82573E/82573L
>  >> /var/log/messages prints only errors like these ones:
>  >>
>  >> Feb 25 13:34:24 localhost kernel: ll header:
>  >> ff:ff:ff:ff:ff:ff:00:00:5e:00:01:04:08:06
>  >> Feb 25 13:35:25 localhost kernel: printk: 7 messages suppressed.
>  >> Feb 25 13:35:25 localhost kernel: martian source 78.138.64.54 from
>  >> 78.138.64.71, on dev eth0
>  >> Feb 25 13:35:25 localhost kernel: ll header:
>  >> ff:ff:ff:ff:ff:ff:00:00:5e:00:01:04:08:06
>  >> Feb 25 13:35:25 localhost kernel: martian source 78.138.64.54 from
>  >> 78.138.64.71, on dev eth2
>  >> Feb 25 13:35:25 localhost kernel: ll header:
>  >> ff:ff:ff:ff:ff:ff:00:00:5e:00:01:04:08:06
>  >> Feb 25 13:35:25 localhost kernel: martian source 78.138.64.74 from
>  >> 78.138.64.71, on dev eth0
>  >> Feb 25 13:35:25 localhost kernel: ll header:
>  >> ff:ff:ff:ff:ff:ff:00:00:5e:00:01:04:08:06
>  >> Feb 25 13:35:25 localhost kernel: martian source 78.138.64.74 from
>  >> 78.138.64.71, on dev eth2
>  >> Feb 25 13:35:25 localhost kernel: ll header:
>  >> ff:ff:ff:ff:ff:ff:00:00:5e:00:01:04:08:06
>  >>
>  >> Cheers
>  >>
>  >> Tobias
>  >>
>  >> Dave Strydom schrieb:
>  >>
>  >>> are all the interfaces 1000Mbit interfaces?
>  >>> and
>  >>> if you login to the routers as root, what do you have in 
> /var/log/messages ?
>  >>>
>  >>> - Dave
>  >>>
>  >>> On Mon, Feb 25, 2008 at 12:54 PM, Tobias Orlamuende
>  >>> <[EMAIL PROTECTED]> wrote:
>  >>>
>   Hi all,
>  
>    I set up 2 routers with VC3 and want them to do vrrp. Setup of vrrp was
>    done exactly as described in the documentation.
>    Unfortunately vrrp doesn't seem to work properly. On both routers vrrp
>    seems to act as a master. When connecting to one of the physical
>    addresses of one of the routers, I get packetloss of about 50%. The
>    other router is fine as well as their virtual IP.
>  
>    My setup looks as follows:
>  
>    Upstream via a small transfer-net 83.220.149.16/29 (eth0)
>    The following networks are received through this transfer-net:
>    194.8.86.0/24 (eth2)
>    78.138.64.0/25 (eth1)
>    Default-route points to our upstream-provider's router (83.220.149.17)
>  
>    Router1:
>  
>    [EMAIL PROTECTED] show interfaces
>    loopback lo {
>    }
>    ethernet eth0 {
>    description: "upstream"
>    hw-id: 00:15:17:39:b6:8a
>    address 83.220.149.19 {
>    prefix-length: 29
>    broadcast: 83.220.149.23
>    }
>    vrrp {
>    vrrp-group: 3
>    virtual-address: 83.220.149.18
>    authentication: "123456"
>    priority: 150
>    }
>    }
>    ethernet eth1 {
>    description: "old-PA"
>    hw-id: 00:15:17:39:b6:8b
>    address 78.138.64.71 {
>    prefix-length: 25
>    broadcast: 78.138.64.127
>    }
>    vrrp {
>    vrrp-group: 4
>    virtual-address: 78.138.64.1
>    priority: 150
>    }
>    }
>    ethernet eth2 {
>    description: "old-local"
>    hw-id: 00:30:48:91:96:06
>    address 194.8.86.1 {
>    prefix-length: 24
>    broadcast: 194.8.86.255
>    }
>    vrrp {
>    vrrp-group: 2
>    virtual-address: 194.8.86.254
>    priority: 150
>    }
>    }
>    ethernet eth3 {
>    hw-id: 00:30:48:91:96:07
>    }
>  
>    [edit]
>  
>    [EMAIL PROTECTED]> show vrrp
>    Physical interface: eth0, Address: 83.220.149.19
>  Interface state: up, Group: 3, State: master
>  Priority: 150, Advertisement interval: 1s, Authentication type: 
> simple
>  Preempt: yes, VIP count: 1, VIP: 83.220.149.18
>  Advertisement timer: 3310s, Master router: 83.220.149.19
>  Virtual MAC: 00:00:5E:00:01:03
>  
>

Re: [Vyatta-users] Clustering Causes Reboots

[Justin Fletcher]

No, that's not intentional ;-)  I haven't seen that before either - is
there any information
in the log files, or from show cluster status?

Do you end up in a split-brain situation where the two systems can't
exchange heartbeats?

The reboot-on-panic option takes effect on kernel panic, so it
shouldn't affect you here.

Justin

On Sun, Feb 24, 2008 at 2:55 PM, Ben Speckien <[EMAIL PROTECTED]> wrote:
> Hello I've been playing with clustering on VC3 (10/29/07) and I can't
>  get it to work well.
>
>  It seems that when one router moves from secondary to primary one or
>  both router have to reboot.  Is this supposed to happen?  Furthermore,
>  if I disconnect the secondary router the primary router or both routers
>  reboot when I reconnect the secondary router.
>
>  I have set system options reboot-on-panic to false.
>
>  It doesn't seem like the auto-failback option does anything and
>  sometimes the primary router reboots every time I try to set it to true.
>
>  Does the hardware make a difference?
>
>  Thanks,
>
>  Ben
>  ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] MIssing the sysServices.0 OID from the MIB

[Justin Fletcher]

On reflection, I'd argue for 14:

2 = datalink/subnetwork (e.g. bridges)
3 = internet (e.g., supports IP)
4 = end-to-end (e.g., supports TCP)

It's not really a repeater, but bridging is supported, you can connect
via telnet and SSH, and while you CAN use it as a mail server or such,
it's not really provided with the system; it's capability you have to
add outside
the normal router functionality.

Justin

On Fri, Feb 22, 2008 at 5:39 PM, Christopher Johnson <[EMAIL PROTECTED]> wrote:
> I'm not sure that is the correct sysServices value.  I've always used
> snmpconf to calculate the sysServices value.
>
> I believe a better value is 76
> 1 = physical (e.g. repeater)
> 2 = datalink/subnetwork (e.g. bridges)
>  3 = internet (e.g., supports IP)
> 4 = end-to-end (e.g., supports TCP)
> 7 = applications (e.g., supports SMTP)
>
> This is from /usr/share/snmp/mibs/SNMPv2-MIB.txt
>
> best,
> -Chris
>
>
>
>  On Fri, Feb 22, 2008 at 6:47 PM, Justin Fletcher <[EMAIL PROTECTED]>
> wrote:
> > Yes, it's not in the SNMP configuration file, but it's easy to fix.
> >
> > As root, add to /etc/snmp/snmpd.conf:
> >
> > sysServices 4
> >
> > which shows that up to and including the internet layer is supported.
> >
> > Then run
> >
> > /opt/vyatta/sbin/snmpd.init restart
> >
> > These are the commands for Glendale, but it'll either be the same or
> > very similar for previous releases.
> >
> > I'll file a bug on it for you as well.
> >
> > Justin
> >
> >
> >
> >
> > On Fri, Feb 22, 2008 at 3:11 PM, Philip McDonald
> > <[EMAIL PROTECTED]> wrote:
> > > My OSS app is trying to discover a Vyatta NE and is being tripped-up by
> the
> > > lack of a  sysServices OID (.1.3.6.1.2.1.1.7.0)  in the mib.
> > > Why does vyatta lack this OID while all other commercial NEs have this
> > > included in their system mib?
> > >
> > > As a work-around I've tried using snmpset to set the sysService OID but
> it
> > > tells me that the OID doesn't exist and it won't add the OID by default.
> > >
> > > Should I try snmpconfig?  If so, how would I solve this problem.
> > >
> > > Thanks,
> > > P
> > >
> > >
> > > ___
> > >  Vyatta-users mailing list
> > >  Vyatta-users@mailman.vyatta.com
> > >  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > >
> > >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
>
>
> ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] MIssing the sysServices.0 OID from the MIB

[Justin Fletcher]

Yes, it's not in the SNMP configuration file, but it's easy to fix.

As root, add to /etc/snmp/snmpd.conf:

sysServices 4

which shows that up to and including the internet layer is supported.

Then run

/opt/vyatta/sbin/snmpd.init restart

These are the commands for Glendale, but it'll either be the same or
very similar for previous releases.

I'll file a bug on it for you as well.

Justin

On Fri, Feb 22, 2008 at 3:11 PM, Philip McDonald
<[EMAIL PROTECTED]> wrote:
> My OSS app is trying to discover a Vyatta NE and is being tripped-up by the
> lack of a  sysServices OID (.1.3.6.1.2.1.1.7.0)  in the mib.
> Why does vyatta lack this OID while all other commercial NEs have this
> included in their system mib?
>
> As a work-around I've tried using snmpset to set the sysService OID but it
> tells me that the OID doesn't exist and it won't add the OID by default.
>
> Should I try snmpconfig?  If so, how would I solve this problem.
>
> Thanks,
> P
>
>
> ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Adding Firewall rules remotely

[Justin Fletcher]

You certainly could (unlike other router vendors :-) ); the trade-off
is where you'd like to put the application and data, and ensure you
keep a copy if you re-install the ISO!  If you're managing
multiple systems, you'd probably want to go with an external application.

Of course, of you've installed a local application/script, you can run
it on a scheduled basis
using cron, and you have direct access to the log files.

You could even directly modify iptables rather than updating the
configuration, which would ensure that the temporary rules were
cleared on a system reboot.

Justin

On Fri, Feb 22, 2008 at 1:36 PM, Allan Leinwand <[EMAIL PROTECTED]> wrote:
> Hi Justin,
>
>How about a script that lives on the Vyatta itself?  I'm no scripting 
> wizard by any means, but I imagine that by sitting on the Vyatta you can 
> parse the logfiles, modify the config file and load it pretty easily, right?
>
>Just a thought from the peanut gallery ;)
>
>  Take care,
>
>  Allan
>
>
>
>  - Original Message -
>  From: "Justin Fletcher" <[EMAIL PROTECTED]>
>  To: [EMAIL PROTECTED]
>  Sent: Friday, February 22, 2008 1:28:29 PM (GMT-0800) America/Los_Angeles
>  Subject: Re: [Vyatta-users] Adding Firewall rules remotely
>
>  One way to do it would be with an expect script that logs in and
>  updates a firewall rule.
>  You'd need to track locally when the rule was added, so you could then
>  removed it,
>  perhaps with a simple text file and a cron job.
>
>  Best,
>  Justin
>
>  On Fri, Feb 22, 2008 at 1:08 PM, Christopher Johnson <[EMAIL PROTECTED]> 
> wrote:
>  > I have my systems set up to monitor authentication failures.  I want one
>  > system to be able to automatically add a firewall rule to deny a particular
>  > IP address.  In the best of all worlds, that firewall rule would then 
> expire
>  > at some time in the future.
>  >
>  > I.e. "Failed password for root from 35.8.1.1 port 38876 ssh2" is the logged
>  > message.  (And no, nobody form MSU tried this,  just one of my test IPs 
> from
>  > a very long time ago).
>  >
>  > What I'd like to do is an SSH to the OFR which would then add a firewall
>  > rule that would expire in two weeks.
>  >
>  > ssh vyatta.example.com /usr/local/bin/blockip 35.8.1.1 14
>  >
>  > Any suggestions on what "blockip" might look like would be very nice.
>  >
>  > Thanks,
>  > -Chris
>  >
>  >
>  > ___
>  >  Vyatta-users mailing list
>  >  Vyatta-users@mailman.vyatta.com
>  >  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>  >
>  >
>  ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>  ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Adding Firewall rules remotely

[Justin Fletcher]

One way to do it would be with an expect script that logs in and
updates a firewall rule.
You'd need to track locally when the rule was added, so you could then
removed it,
perhaps with a simple text file and a cron job.

Best,
Justin

On Fri, Feb 22, 2008 at 1:08 PM, Christopher Johnson <[EMAIL PROTECTED]> wrote:
> I have my systems set up to monitor authentication failures.  I want one
> system to be able to automatically add a firewall rule to deny a particular
> IP address.  In the best of all worlds, that firewall rule would then expire
> at some time in the future.
>
> I.e. "Failed password for root from 35.8.1.1 port 38876 ssh2" is the logged
> message.  (And no, nobody form MSU tried this,  just one of my test IPs from
> a very long time ago).
>
> What I'd like to do is an SSH to the OFR which would then add a firewall
> rule that would expire in two weeks.
>
> ssh vyatta.example.com /usr/local/bin/blockip 35.8.1.1 14
>
> Any suggestions on what "blockip" might look like would be very nice.
>
> Thanks,
> -Chris
>
>
> ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Graphing bandwidth: how do you do it?

[Justin Fletcher]

MRTG is reasonably straight-forward; use cfgmaker to generate the MRTG
configuration file and indexmaker to create the web pages.  There's a
lot of documentation at http://oss.oetiker.ch/mrtg/doc/index.en.html,
but just start with the basics.  Once you
give cfgmaker your system and SNMP community, it'll figure out the rest.

And yes, it works with Vyatta systems; I've got well of a year's worth
of data on my setup :-)

Justin

On Wed, Feb 20, 2008 at 9:41 AM,  <[EMAIL PROTECTED]> wrote:
> All,
>
>  I have been trying to get a bandwidth monitoring / graphing utility to work 
> now and have hit a hard road. I have tried to install the 'real' webmin 
> because they have a nice easy way to show traffic in / out, but to no avail. 
> I have started the snmp way via MRTG, but it will take me a while to set up 
> and configure. Can anyone recommend the easiest way to watch the traffic on 
> my vyatta box interface(s)?
>
>  I'm sure I'll eventually get MRTG to work-- but maybe there is a cleaner way?
>
>  Thanks in advance,
>
>  Aaron
>
>  p.s. Out of curiosity, has anyone gotten 'Webmin' (the official package) to 
> install on a vyatta machine? I resolved various dependencies, but still 
> cannot connect to it.
>
>  ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] DHCP server issues

[Justin Fletcher]

Try removing the second wins-server entry - just saw a bug on that go
by.  Also, check the log messages; there may be information on the
DHCP server recorded.

Best,
Justin

On Wed, Feb 20, 2008 at 8:43 AM,  <[EMAIL PROTECTED]> wrote:
> Hello -
>
>  I'm new here and have downloaded and installed Vyatta 3.0. I am
>  testing it out now and followed the Quick Evaluation Guide. Everything
>  seems to be working except for the DHCP server - I can't get it to
>  hand out addresses. If I connect a laptop to the LAN port and send
>  DHCPDISCOVERs I get no response. If I configure the latpop for a
>  static address on the same subnet as the LAN interface
>  (192.168.1.0/24) everything works fine - I can get through the router
>  (NAT and the firewall seem to be working as well). My DHCP server
>  config is below - this should be very simple, but after a few hours I
>  can't figure out why it's not working.
>
>  Any ideas would be much appreciated.
>
>  Thank you,
>  -Matt
>
>
>  [EMAIL PROTECTED] show service dhcp-server
>  shared-network-name LAN-pool {
>  subnet 192.168.1.0/24 {
>  start 192.168.1.100 {
>  stop: 192.168.1.199
>  }
>  dns-server 1.1.1.1
>  dns-server 1.1.1.2
>  default-router: 192.168.1.1
>  wins-server 3.3.3.3
>  wins-server 3.3.3.4
>  }
>  }
>
>  [edit]
>  [EMAIL PROTECTED]
>
>
>  ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] How can I load a new configuration on to the router and not reboot?

[Justin Fletcher]

This is pretty straight-forward; go into config mode and issue "load
config.boot" (or whatever you'd save the file as).

Best,
Justin

On Feb 18, 2008 12:23 PM, Adair, Nick <[EMAIL PROTECTED]> wrote:
> Is it possible to load a new configuration on to the router and not
> reboot the system?  If I restore a config.boot file via TFTP can I have
> the configuration take effect just by restarting vyatta-ofr?
>
> Nick
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Vyatta Crashing -- Have to reboot

[Justin Fletcher]

Unfortunately, you need to restart the system to recover from these
errors in this version.  However, major changes have been made in
Glendale, so you won't see these issues in
the next release.  Alpha 1 is available, so you can give it a try now.

Justin

On Thu, Feb 14, 2008 at 7:27 AM,  <[EMAIL PROTECTED]> wrote:
> All,
>
>  I have now been using vyatta at two of my locaitons (production) and it has 
> been very promising. However, I have run into the problem where I essentially 
> cannot do any more 'commits'. This can randomly happen on various things, but 
> adding / removing an interface is definitley one of them. The only thing I 
> can do to fix the issue is to reboot (init 6) the vyatta box and then add in 
> my new configuration once it comes back up.
>
>  I would like some help just troubleshooting / debugging, so I don't have to 
> do a full restart to get back to a working condition. I am using VC 3.
>
>  Below is an example log from /var/log/messages
>
>
>  Feb 14 09:10:57 localhost xorp_fea: [ 2008/02/14 09:10:57  ERROR 
> xorp_fea:7163 FEA +99 
> /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/fea/ifconfig_set.cc
>  push_config ] Interface error on eth0.398: interface not recognized
>
>  Feb 14 09:10:57 localhost xorp_rtrmgr: [ 2008/02/14 09:10:57  ERROR 
> xorp_rtrmgr:3936 LIBXORP +741 
> /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/libxorp/run_command.cc
>  done ] Command "/opt/vyatta/sbin/commit_interface.sh": exited with exit 
> status 255.
>
>  Feb 14 09:10:57 localhost xorp_rtrmgr: [ 2008/02/14 09:10:57  ERROR 
> xorp_rtrmgr:3936 RTRMGR +1647 
> /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/task.cc 
> execute_done ] Error found on program stderr!
>  Feb 14 09:10:57 localhost xorp_rtrmgr: [ 2008/02/14 09:10:57  ERROR 
> xorp_rtrmgr:3936 RTRMGR +701 
> /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc
>  commit_pass2_done ] Commit failed:
>
>
>  Any suggestions would be appreciated.
>
>  I believe what is 'fixing' my issue is restarting the CLI and possibly 
> router program-- perhaps I can do that on the command line without restarting 
> the entire machine?
>
>  Thanks
>  -Aaron
>  ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] XORP FROZE!

[Justin Fletcher]

There's no easy restart in this version.  I'd just reboot when you
get the chance - and consider trying out the Glendale alpha.

Justin

On Feb 11, 2008 10:06 AM, Ben Speckien <[EMAIL PROTECTED]> wrote:
> I created a new firewall rule, didn't apply it to an interface or
> anything and Xorp froze on the commit. The box continues to pass traffic
> just fine.   I logged into the box again and typed xorpsh, and nothing
> happened.  I was wondering what the best way to restart xorp is.  Or
> would I be better just rebooting the box?
>
> Ben
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Going to shell on Vyatta

[Justin Fletcher]

However, changes made directly to /etc/passwd are not preserved
on reboot, so you'd need to re-create the user account each time.

Justin

On Feb 11, 2008 3:44 AM, Davide Bologna <[EMAIL PROTECTED]> wrote:
> Usually the vyatta user is meant for router
> administration, so it have direct access to xorpsh, as
> configured in /etc/passwd.
>
> You can run the application from the root shell or,
> better, create a new user to run it. Remember that
> Vyatta is a specialized Linux, but is still Linux
> inside, so just useradd.
>
> Davide
>
>
> --- piyush sharma <[EMAIL PROTECTED]> ha scritto:
>
>
> > Sorry Stig, my question was meant for Vyatta in
> > general.
> > I didn't edit the subject line earlier.
> > I have to run an application on the linux on the
> > Vyatta machine.
> > For that I require to go to the shell prompt.
> > I wanted to know how can I do that.
> > I have logged in as user vyatta on the router.
> > Please help me.
> >
> > Thanks,
> > Piyush
> > > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> >
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
>
>
>
>   ___
> L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail:
> http://it.docs.yahoo.com/nowyoucan.html
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Going to shell on Vyatta

[Justin Fletcher]

Log in as root; that'll give you the Linux shell.

Best,
Justin

On Feb 10, 2008 9:09 PM, piyush sharma <[EMAIL PROTECTED]> wrote:
>
>
> Sorry Stig, my question was meant for Vyatta in general.
> I didn't edit the subject line earlier.
> I have to run an application on the linux on the Vyatta machine.
> For that I require to go to the shell prompt.
> I wanted to know how can I do that.
> I have logged in as user vyatta on the router.
> Please help me.
>
> Thanks,
> Piyush
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] interface names move

[Justin Fletcher]

It's just the order they were initially discovered by the system, and
it can vary.
It's also one of the reasons there's the hw-id parameter in the
interfaces section -
that way the interface your prefer is locked to an interface name.  If
you want to
change the order, change the hw-id entry, either through the
configuration commands,
or edit config.boot directly (I prefer the latter to cut and paste) and reboot.

Justin

On Feb 8, 2008 5:05 AM, Dave Strydom <[EMAIL PROTECTED]> wrote:
> I'm got two identical HP DL140 machines, both with additional Intel
> Dual Port 1000/PT cards.
>
> On the one machine (router 1)
> Onboard NIC 1 = eth0
> Onboard NIC 2 = eth1
> Intel NIC 1 = eth2
> Intel NIC 2 - eth3
>
> On the 2nd machine (router 2)
> Onboard NIC 1 = eth2
> Onboard NIC 2 = eth3
> Intel NIC 1 = eth0
> Intel NIC 2 = eth1
>
>
> How can two identical machines have the interface names switched around?
>
> - Dave
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Vyatta running on appliance...

[Justin Fletcher]

What's the last message before it hangs?

Justin

On Feb 7, 2008 2:12 PM, ken Felix <[EMAIL PROTECTED]> wrote:
> I'm doing the same but with a 2gb and 4gb "fast" Compact Flash. It runs
> great but I just notice a problem the last 2 days in my test lab and it
> ( host ) hangs at boot time. Could be y hardware or CF card or adpater.
>
>
> fwiw, Logic supply has shipped their servers to me but so far I've
> haven't received all of my new pieces for my project.
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Transparent IP Mapping

[Justin Fletcher]

Yes, the Vyatta will do this - with a LOT more control.  Your Netopia
is doing NAT
for you; if you want it, you'll be able to configure it.  By default,
of course, NAT
isn't configured on the Vyatta, so you'll have to set it up to get the
results you want.

Best,
Justin

On Feb 6, 2008 7:42 AM, Rob Menzies <[EMAIL PROTECTED]> wrote:
>
>
>
>
> I currently have a Netopia R910 supporting my network.  My ISP has provided
> me with a /29 subnet.  The Netopia permits these additional IP Addressed to
> be behind my R910 through what they call Transparent IP Mapping.  These IP
> addressed live on the same switch as my 10.x.x.x/24 network.  Does the
> Vyatta permit this?  From what I've read, the VLAN looks like it will work,
> but some clarification would be appreciated.  Here is the text from
> Netopia's site on the Transparent IP Mapping:
>
> If your ISP has assigned you multiple static IP addresses you may want to
> have one or more of these IP's assigned directly to hosts or servers behind
> the Netopia with NAT enabled. If you want to place a public IP onto the
> local workstation, (i.e. not a 192.168.1.x address), then this Quick Guide
> will take you through this process step-by-step. How this is done will be
> determined by the type of routing (or bridging) handled from the ISP. The
> IP's can be routed to the Ethernet interface of the router, or be bridged to
> you on the WAN interface.
>
> This configuration will transparently map your public IP addresses in a way
> that will allow you to configure workstations behind the router to hold
> these public IP addresses and make them publicly accessible, bypassing the
> NAT process on this secondary subnet.
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Possible OSPF problems

[Justin Fletcher]

Ah - my mistake in terminology translation :-)

Since is IS running through the router, turn on tshark on one of the
router interfaces, & see what's on the (virtual) wire when you start a ping.
Does the router even see it inbound through the virtual switch?

Justin

On Feb 6, 2008 5:05 AM, Joe Pub <[EMAIL PROTECTED]> wrote:
> I think I have a problem with some OSPF routing.  I have a small
> network setup (see attached image) which uses 2 OSPF areas, with 3
> subnets.  I have a LAN subnet (192.168.10.0/23, Area 0.0.0.1) and a
> DMZ subnet (172.20.0.0/23, Area 0.0.0.0) and a public subnet which is
> not configured using OSPF.
>
> I can connect and ping nodes from LAN <--> DMZ no problem and can
> also ping from DMZ <-> Public no problem.  But when I try to ping
> and connect to machines within my own public range LAN  <-> Public
> I have some connectivity issues.  Pings will take a while and time
> out, then eventually (2 - 10 seconds) it's like OSPF has figured how
> to get there and they works.  If them hosts then have not been
> contacted in a while since it started working, I have the ping and
> connectivity problems again.
>
> Does anyone have any idea where I might be going wrong here?
>
> protocol config for the both internal routers below with respective
> OSPF and routing tables.  If you need further information please let
> me know.
>
> Thank for the help.
>
> ---
>
> protocols {
> ospf4 {
> router-id: 10.1.1.1
> rfc1583-compatibility: false
> ip-router-alert: false
> area 0.0.0.0 {
> area-type: "normal"
> interface eth1 {
> link-type: "broadcast"
> address 172.20.1.251 {
> priority: 128
> hello-interval: 10
> router-dead-interval: 40
> interface-cost: 1
> retransmit-interval: 5
> transit-delay: 1
> passive: false
> disable: false
> }
> }
> }
> area 0.0.0.1 {
> area-type: "normal"
> interface eth0 {
> link-type: "broadcast"
> address 192.168.11.253 {
> priority: 128
> hello-interval: 10
> router-dead-interval: 40
> interface-cost: 1
> retransmit-interval: 5
> transit-delay: 1
> passive: false
> disable: false
> }
> }
> }
> }
> static {
> disable: false
> }
> }
>
> Routes: 8/8, Paths: 8/8
> 0.0.0.0/0[ospf(1)]> to 172.20.1.253via eth1
> 10.1.1.1/32[connected(0)]> to 10.1.1.1
>via lo
> 10.1.1.3/32[ospf(2)]> to 172.20.1.253via eth1
> 10.1.1.4/32[ospf(2)]> to 172.20.1.252via eth1
> 127.0.0.0/8[connected(0)]> to 127.0.0.1
> via lo
> 172.20.0.0/23[connected(0)]> to 172.20.1.251
>  via eth1
> 192.168.10.0/23[connected(0)]> to
> 192.168.11.253via eth0
> 192.168.11.254/32[connected(0)]> to 192.168.11.254
>via eth0
>
> 
>
> protocols {
> ospf4 {
> router-id: 10.1.1.2
> rfc1583-compatibility: false
> ip-router-alert: false
> area 0.0.0.0 {
> area-type: "normal"
> interface eth1 {
> link-type: "broadcast"
> address 172.20.1.250 {
> priority: 128
> hello-interval: 10
> router-dead-interval: 40
> interface-cost: 1
> retransmit-interval: 5
> transit-delay: 1
> passive: false
> disable: false
> }
> }
> }
> area 0.0.0.1 {
> area-type: "normal"
> interface eth0 {
> link-type: "broadcast"
> address 192.168.11.252 {
> priority: 128
> hello-interval: 10
> router-dead-interval: 40
> interface-cost: 1
> retransmit-interval: 5
> transit-delay: 1
> passive: false
> disable: false
>

Re: [Vyatta-users] Possible OSPF problems

[Justin Fletcher]

If you're pinging public -> public, it's the same subnet, which means the
devices are communicating directly, and not even going through the router,
so OSPF shouldn't be an issue.

Trace a traceroute from one of the devices in question, or see if you can
get a packet capture.  COULD be a switch, spanning tree issue, interface
configuration mismatch or . . .

Best,
Justin

On Feb 6, 2008 5:05 AM, Joe Pub <[EMAIL PROTECTED]> wrote:
> I think I have a problem with some OSPF routing.  I have a small
> network setup (see attached image) which uses 2 OSPF areas, with 3
> subnets.  I have a LAN subnet (192.168.10.0/23, Area 0.0.0.1) and a
> DMZ subnet (172.20.0.0/23, Area 0.0.0.0) and a public subnet which is
> not configured using OSPF.
>
> I can connect and ping nodes from LAN <--> DMZ no problem and can
> also ping from DMZ <-> Public no problem.  But when I try to ping
> and connect to machines within my own public range LAN  <-> Public
> I have some connectivity issues.  Pings will take a while and time
> out, then eventually (2 - 10 seconds) it's like OSPF has figured how
> to get there and they works.  If them hosts then have not been
> contacted in a while since it started working, I have the ping and
> connectivity problems again.
>
> Does anyone have any idea where I might be going wrong here?
>
> protocol config for the both internal routers below with respective
> OSPF and routing tables.  If you need further information please let
> me know.
>
> Thank for the help.
>
> ---
>
> protocols {
> ospf4 {
> router-id: 10.1.1.1
> rfc1583-compatibility: false
> ip-router-alert: false
> area 0.0.0.0 {
> area-type: "normal"
> interface eth1 {
> link-type: "broadcast"
> address 172.20.1.251 {
> priority: 128
> hello-interval: 10
> router-dead-interval: 40
> interface-cost: 1
> retransmit-interval: 5
> transit-delay: 1
> passive: false
> disable: false
> }
> }
> }
> area 0.0.0.1 {
> area-type: "normal"
> interface eth0 {
> link-type: "broadcast"
> address 192.168.11.253 {
> priority: 128
> hello-interval: 10
> router-dead-interval: 40
> interface-cost: 1
> retransmit-interval: 5
> transit-delay: 1
> passive: false
> disable: false
> }
> }
> }
> }
> static {
> disable: false
> }
> }
>
> Routes: 8/8, Paths: 8/8
> 0.0.0.0/0[ospf(1)]> to 172.20.1.253via eth1
> 10.1.1.1/32[connected(0)]> to 10.1.1.1
>via lo
> 10.1.1.3/32[ospf(2)]> to 172.20.1.253via eth1
> 10.1.1.4/32[ospf(2)]> to 172.20.1.252via eth1
> 127.0.0.0/8[connected(0)]> to 127.0.0.1
> via lo
> 172.20.0.0/23[connected(0)]> to 172.20.1.251
>  via eth1
> 192.168.10.0/23[connected(0)]> to
> 192.168.11.253via eth0
> 192.168.11.254/32[connected(0)]> to 192.168.11.254
>via eth0
>
> 
>
> protocols {
> ospf4 {
> router-id: 10.1.1.2
> rfc1583-compatibility: false
> ip-router-alert: false
> area 0.0.0.0 {
> area-type: "normal"
> interface eth1 {
> link-type: "broadcast"
> address 172.20.1.250 {
> priority: 128
> hello-interval: 10
> router-dead-interval: 40
> interface-cost: 1
> retransmit-interval: 5
> transit-delay: 1
> passive: false
> disable: false
> }
> }
> }
> area 0.0.0.1 {
> area-type: "normal"
> interface eth0 {
> link-type: "broadcast"
> address 192.168.11.252 {
> priority: 128
> hello-interval: 10
> router-dead-interval: 40
> interface-cost: 1
> retransmit-interval: 5
> tran

Re: [Vyatta-users] ps3

[Justin Fletcher]

Port forwarding should be straight-forward with the Vyatta CLI; look for recent
ssh examples on this list.

Personally, I'd create a rule for each protocol and port/port range.

Best,
Justin

On Feb 4, 2008 8:31 PM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> Hey guys, I finally got my old comp which is running vyatta to now be a
> wireless vyatta router.  So I can connect my Playstation 3 to the router
> and it goes on the network and most things work.  However it only has
> what playstation calls nat3.  This is because it isn't getting all the
> ports it needs.  The playstation 3 needs:
>
> • TCP Ports: 80, 443, 5223, and 10070 - 10080
> • UDP Ports: 3478, 3479, 3658, and 10070
>
> I don't care about 80 and 443.  However I really want to get nat2
> working because I'm having issues with Unreal III.  What would be the
> best way to do this?  Can / should I create an iptables rule to make a
> DMZ zone?  I had to make the firewall with iptables not vyatta cause I
> couldn't figure it out... :'(  Should I just create a nat rule for each
> port and forward it to my playstation's ip after setting it as static?
>
> Thanks,
> Nate
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Bandwidth limitation

[Justin Fletcher]

Coming soon in a Glendale build near to you :-)

Justin

On Feb 4, 2008 9:26 PM, Dams <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I would like to know if there is an option in vyatta to limit the bandwidth
> on specific ip or all ip ?
>
> Thanks
>
> --
> Cordialement / Sincerely
> Dams
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] vLAN & Switch

[Justin Fletcher]

Definitely.  It's part of the VLAN tag.

Best,
Justin

On Feb 4, 2008 9:26 PM, Go Wow <[EMAIL PROTECTED]> wrote:
> Hey
>
>  I Have configured vlan in vyatta and bought a vlan enabled switch its
> D-link DES-1226. I want to know when configuring the switch whether I
> need to give the VID in switch the same as the vLAN ID is created in
> vyatta?
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Managing different subnet with different gateway

[Justin Fletcher]

To summarize, traffic does know anything about where it's been.  There's no
guarantee that traffic will go back the same route it came in;
asymmetric routing
is very common.

All a router knows is the IP address of the destination packet it
needs to forward;
it'll then use its routing information to select the next hop router,
when then makes
it's own independent decision.  It's a little simplified :-) but
pretty much the case.

So yes - think both directions - how the request packet comes in, and how the
response packet is routed back.

Best,
Justin

On Jan 31, 2008 11:13 AM, Daren Tay <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I've been toying with this mini project and have some quite interesting
> findings... problem persist somehow... help would be appreciated.
> btw.. these are for a web infrastructure setup purpose.
>
> Setup
> 
>
> 01 x main router  ---> this is the router that is to manage 2 different
> subnet, and ensure that their outgoing traffic go by a fixed gateway, and
> not just the default gateway.
> 02 x laptop --> they simulate the 2 internal subnet
> 02 x small routers (one linksys, one vyatta) ---> they simulate the
> different subnet of the outgoing connection, the "gateways"
>
> For the main router:
> ---
> eth0: 192.168.2.1 /24 --> to small router (vyatta)
> eth1: 192.168.3.1 /24 --> to small router (linksys)
> eth2: 192.168.20.1 /24 --> laptop1 (192.168.20.2)
> eth3: 192.168.30.1 /24 --> laptop2 (192.168.30.2)
>
> For the small routers
> 
> :: vyatta ::
> LAN --> 192.168.2.2
> WAN --> 192.168.1.232
> Gateway --> 192.168.1.1
>
> :: linksys ::
> LAN --> 192.168.3.2
> WAN --> 192.168.1.233
> Gateway --> 192.168.1.2
>
> *Note: both gateways are separate ADSL modems
>
> So I go ahead and set them up normally, with default routing pointed to
> either one. Everything works fine.
> Both laptops can ping each other and can ping the gateway and beyond
> (internet). No problem. So I attempt to test the ip tool.
>
>
> IP Tool
> =
> Base on what was advice, I look through, tried and read...
>
> i create 2 ip route table (other than the default).
> I added the following ip route:
> ip route add default via 192.168.2.2 dev eth0 tab 1
> ip route add default via 192.168.3.2 dev eth1 tab 2
>
> As you can see, table 1 is for routing out through the vyatta small router,
> table 2 through the link sys small router.
>
> I then add the following:
> ip rule add from 192.168.20.0/24 tab 1 priority 500
> ip rule add from 192.168.30.0/24 tab 2 priority 600
>
> At this point, nothing works anymore. My 2 subnet cannot ping out anymore.
> I then copied the entries from "ip route show" and put them into table1 and
> table2.
> This way, the routes for "ip route show", "ip route show table 1", "ip route
> show table 2" are the same, except the default path.
> Btw, there is no default path in "ip route show".
>
>
> Problem
> -
> After doing the above... the default path via the linksys router works
> fine...
> but the vyatta (small router) totally cannot work. I can still ping both its
> port (LAN and WAN), but nothing beyond. not even the 1.0 network with the
> modems... I'm not sure why.. and I am hoping some kind folks may shed some
> light on this. would appreciate this. The main vyatta router can ping
> through all of them though.
>
> so far, Am I doing it correctly?
>
>
> Another question though:
> without going through this testing... incoming traffic to the 2 different
> subnet will naturally go through their respective gateways. the question is
> whether the outgoing traffic will go through the correct gateway, or just
> the default gateway.. hence after getting advice from the good folks.. i
> began testing..
>
> but something just struck me... say i don't do any of these tests. i just
> leave it be. so when people serve either websites (from the different
> subnets), the DNS resolution will naturally bring them through the different
> gateway and on to the appropriate subnet right? If that's the case, when the
> request returns to the user, will it go back by the way it came from, or via
> the default gateway...?
>
> My worry is that it will go through the default gateway, hence I asked about
> this whole test. But thinking about it.. it can go back the way it come from
> isn't it?
>
> Sorry about the lengthy question, networking amateur here :)
>
> Many thanks for the patience and interest!
> Daren
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall Logs

[Justin Fletcher]

Yes, I've had it enabled and working before.  The traffic needs to hit a
firewall rule before it'll be logged; you may also need to adjust the global
log level down from it's current default of warning to informational or lower.

Justin


On Feb 1, 2008 2:12 PM, Go Wow <[EMAIL PROTECTED]> wrote:
> But it doesn't show me the required information, did you try it? I
> want to make sure that somebody did try it and its working fro them
> cuz currently it isn't working for me :( .
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall Logs

[Justin Fletcher]

You can enable firewall logging for each firewall rule:

rule 1 {
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: 0.0.0.0/0
}
destination {
port-name: "ssh"
}
}

That will get the information you're looking for, if you have a
firewall rule to match it!

Justin

On Feb 1, 2008 6:31 AM, Go Wow <[EMAIL PROTECTED]> wrote:
> Hi
>
>   I was able to build some working firewall rules, and I'm happy man
> now I got NAT working, Firewall up now I'm moving onto vLAN. My
> question regarding the firewall logs is that I want to see all the ips
> that tried to scan my WAN ip for ports or even tired to access it,  I
> can't see it in show >> logs or show >> firewall >> logs. So can
> someone tell me where can i get those kind of logs.
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Dual-screened subnet

[Justin Fletcher]

You apply a firewall on an interface-basis, and whether it's inbound, outbound,
or local to the router, so I think that'll do what you want (if I'm
interpreting correctly).

Best,
Justin

On Jan 22, 2008 8:58 AM, Elías Manchón López <[EMAIL PROTECTED]> wrote:
>
>
>
> Hi Folks!.
>
> I need set up a dual-screened subnet and I'm thinking to use vyatta on the
> two pc with two NIC's every one. The front firewall and the back firewall, I
> don`t know if this is possible with vyatta and if I will have some
> limitation. I think that the front router will does natting and the back
> router will does routing.
>
> Wha do you think about this issue?.
>
> Thanks in advance.
>
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Unable to login, solved by reboot

[Justin Fletcher]

Personally, I'd use it to take advantage of major changes and fixes,
and I'm running it to access all 40 lab systems - but that's me :-)

It still needs more polish, and there's a good chance you'll find
things that aren't perfect (or maybe even a bug or two), and you'll
have to re-enter and/or substantially modify your existing
configuration.

If you want to be cautious and prudent, review the bugs in the bug
list, and try it on a backup system.

Best,
Justin

On Jan 30, 2008 3:06 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote:
> How production ready are Glendale. I'm using vyatta as router/firewall in
> front of a couple of servers that soon will go live...
> Since it's alpha, do you think I should do it? Just printed the whole
> manual...
>
>
>
> 2008/1/30, Justin Fletcher <[EMAIL PROTECTED]>:
> > Maybe . . .
> >
> > However, much of this has been resolved with associated changes in
> Glendale.
> > Give Alpha 1 a try - I doubt you'll see it there :-)
> >
> > Best,
> > Justin
> >
> > On Jan 30, 2008 12:43 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > > But i feel that the only reason I didn't have to reboot is luck :(
> > > Maybe next time i'm unable to login with any account?
> > >
> > > 2008/1/30, Justin Fletcher <[EMAIL PROTECTED]>:
> > >
> > > > As you can see, nothing jumps out in the log.  A detailed search may
> > > > turn up more information; otherwise, at least you've got a work-around
> > > > :-)
> > > >
> > > > Justin
> > > >
> > > > On Jan 29, 2008 2:48 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> > > wrote:
> > > > > Log result attached.
> > > > > I managed to login if I changed the passwords for my "troubled
> users".
> > > > > Somethimes the encrypted-password didn't get encrypted.
> > > > >
> > > > >
> > > > > 2008/1/29, Justin Fletcher <[EMAIL PROTECTED]>:
> > > > >
> > > > > > Give "show log | match ERROR" a try.
> > > > > >
> > > > > > Justin
> > > > > >
> > > > > > On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones
> <[EMAIL PROTECTED]>
> > > > > wrote:
> > > > > > > I have this problem again. Now i was able to login to a user
> account
> > > I
> > > > > > > created, but unable to view logfiles since im in xorpsh.
> > > > > > >
> > > > > > > 2008/1/28, Justin Fletcher <[EMAIL PROTECTED]>:
> > > > > > >
> > > > > > > > Anything untoward in the log files?
> > > > > > > >
> > > > > > > > Justin
> > > > > > > >
> > > > > > > > On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones
> > > <[EMAIL PROTECTED]>
> > > > > > > wrote:
> > > > > > > > > Today I had a wierd experience with Vyatta.
> > > > > > > > > I was unable to login on any account. Did a reboot, then
> > > everything
> > > > > was
> > > > > > > > > normal.
> > > > > > > > > What is going on?
> > > > > > > > >
> > > > > > > > > ___
> > > > > > > > > Vyatta-users mailing list
> > > > > > > > > Vyatta-users@mailman.vyatta.com
> > > > > > > > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Unable to login, solved by reboot

[Justin Fletcher]

Maybe . . .

However, much of this has been resolved with associated changes in Glendale.
Give Alpha 1 a try - I doubt you'll see it there :-)

Best,
Justin

On Jan 30, 2008 12:43 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote:
> But i feel that the only reason I didn't have to reboot is luck :(
> Maybe next time i'm unable to login with any account?
>
> 2008/1/30, Justin Fletcher <[EMAIL PROTECTED]>:
>
> > As you can see, nothing jumps out in the log.  A detailed search may
> > turn up more information; otherwise, at least you've got a work-around
> > :-)
> >
> > Justin
> >
> > On Jan 29, 2008 2:48 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > > Log result attached.
> > > I managed to login if I changed the passwords for my "troubled users".
> > > Somethimes the encrypted-password didn't get encrypted.
> > >
> > >
> > > 2008/1/29, Justin Fletcher <[EMAIL PROTECTED]>:
> > >
> > > > Give "show log | match ERROR" a try.
> > > >
> > > > Justin
> > > >
> > > > On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> > > wrote:
> > > > > I have this problem again. Now i was able to login to a user account
> I
> > > > > created, but unable to view logfiles since im in xorpsh.
> > > > >
> > > > > 2008/1/28, Justin Fletcher <[EMAIL PROTECTED]>:
> > > > >
> > > > > > Anything untoward in the log files?
> > > > > >
> > > > > > Justin
> > > > > >
> > > > > > On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones
> <[EMAIL PROTECTED]>
> > > > > wrote:
> > > > > > > Today I had a wierd experience with Vyatta.
> > > > > > > I was unable to login on any account. Did a reboot, then
> everything
> > > was
> > > > > > > normal.
> > > > > > > What is going on?
> > > > > > >
> > > > > > > ___
> > > > > > > Vyatta-users mailing list
> > > > > > > Vyatta-users@mailman.vyatta.com
> > > > > > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Managing different subnet with different gateway

[Justin Fletcher]

Yes, eth0 and eth1 should be on different subnets; if not, the router doesn't
know which interface should be used to send traffic to another device on that
subnet.

Best,
Justin

On Jan 30, 2008 7:47 AM, Daren Tay <[EMAIL PROTECTED]> wrote:
> Hi guys,
>
> I revisited the issue after getting a box to test
>
> I have set up a vyatta router with 4 ports
>
> eth0: 192.168.1.232 (WAN) -> simulate gateway#1
> eth1: 192.168.1.233 (WAN) -> simulate gateway#2
> eth2: 192.168.20.1 (LAN) -> simulate LAN #1, represented by a laptop
> 192.168.20.2 :: to route through eth0 for gateway 192.168.1.1
> eth3: 192.168.30.1 (LAN) -> simulate LAN #2, represented by a laptop
> 192.168.30.2 :: to route through eth1 for gateway 192.168.1.2
>
> I can't get eth3 to work somehow.. I think the laptop needs to be connected
> using a cross cable (using different laptops)
> but .20.x side is working fine. As attached is the config.
>
> I then run the ip tool on 192.168.30.0..
>
> but i still can't route out.
>
> when i set the gateway, it routes out, but via that gateway...
>
> both 192.168.1.1 abd 1.2 and adsl modems... or should I be ensuring both
> eth0 and eth1 are of different subnet?
> below is the config i did...
> 
> vyatta:~# ip route add default via 192.168.1.2 dev eth1 tab 2
> vyatta:~# ip rule add from 192.168.30.0/24 tab 2 priority 600
> vyatta:~# ip route list
> 192.168.20.0/24 dev eth2  proto kernel  scope link  src 192.168.20.1
> 192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.232
> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.233
> 192.168.30.0/24 dev eth3  proto kernel  scope link  src 192.168.30.1
> vyatta:~# ip rule list
> 0:  from all lookup 255
> 600:from 192.168.30.0/24 lookup 2
> 32766:  from all lookup main
> 32767:  from all lookup default
> =
>
>
> Food for thought? More testing to be done tomorrow!
>
> Thanks folks!
> Daren
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Daren Tay
> Sent: Tuesday, January 08, 2008 11:50 AM
> To: Robert Bays
>
> Cc: vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Managing different subnet with different
> gateway
>
>
> Ok roberts, will take note of that.
>
> My concern is just to ensure the 2 subnet have their traffic routed through
> their respective gateways as different bandwidth is purchased for them :)
>
> Thanks man!
> Daren
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Robert Bays
> Sent: Tuesday, January 08, 2008 2:59 AM
> To: vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Managing different subnet with different
> gateway
>
>
> Daren,
>
> I would still setup a global default route in the router to handle
> traffic not explicitly source routed.
>
> Cheers,
> Robert.
>
> Daren Tay wrote:
> > Hi guys,
> >
> > one more question:
> > say I do the below mentioned way to have multi-gateway setup, but there'll
> > still be a default gateway set in xorpsh yeah?
> > Will this affect how traffic is routed out?
> >
> > Or should I just do away with the default gateway setup?
> >
> > Thanks!
> > Daren
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Daren Tay
> > Sent: Saturday, January 05, 2008 12:32 PM
> > To: vyatta-users@mailman.vyatta.com
> > Subject: Re: [Vyatta-users] Managing different subnet with different
> > gateway
> >
> >
> > Ah silly me, the obvious
> >
> > Thanks!
> > Daren
> >
> > -Original Message-
> > From: Robert Bays [mailto:[EMAIL PROTECTED]
> > Sent: Saturday, January 05, 2008 7:00 AM
> > To: Daren Tay
> > Cc: vyatta-users@mailman.vyatta.com
> > Subject: Re: [Vyatta-users] Managing different subnet with different
> > gateway
> >
> >
> > Running traceroute from a system on each subnet should show you
> > different paths.
> >
> > cheers.
> >
> > Daren Tay wrote:
> >> Cool guys :)
> >>
> >> I'm gonna give the ip rule a test when I head back to office on monday,
> > but
> >> how do I determine that it is working?
> >>
> >> Once that is done, I'll look into the bandwidth throttling.
> >>
> >> Daren
> >>
> >> -Original Message-
> >> From: Robert Bays [mailto:[EMAIL PROTECTED]
> >> Sent: Saturday, January 05, 2008 5:17 AM
> >> To: Daren Tay
> >> Cc: vyatta-users@mailman.vyatta.com
> >> Subject: Re: [Vyatta-users] Managing different subnet with different
> >> gateway
> >>
> >>
> >> Daren,
> >>
> >> Yep.  The tool is the standard linux ip command.  The "ip rule from"
> >> part tells the system that anything from this address should go to table
> >> n.  Each table has a separate default route.
> >>
> >> XORP *shouldn't* kill these routes since they aren't in the master
> >> table.  YMMV.  As Aubrey correctly pointed out, you will want to add
> >> these commands to your startup files so they are added at each boot.
> >>
> >> As for tracking bandwidth, you c

Re: [Vyatta-users] help me with firewall

[Justin Fletcher]

See the Quick Start Guide or Configuration Guide for multiple examples
(http://www.vyatta.com/twiki/bin/view/Community/DocumentationSet) .
Make
sure you accept tcp established to ensure that responses to outbound requests
make it back through the firewall.

Best,
Justin

On Jan 29, 2008 8:05 PM, Go Wow <[EMAIL PROTECTED]> wrote:
> This is my complete configuration, I want to add firewall such that all the
> internal LAN should be able to access internet as there are having access
> now without firewall, I want only port 80 443 to be open to all (yes it
> should be accessible from anywhere) and lastly I have a webserver nat'ted on
> port 81 of eth0 I want to access that too rest all should be blocked, can
> someone please define the rules for this.
>
>
>   protocols {
> rip {
> interface eth0 {
> address 192.168.10.45 {
> metric: 1
> horizon: "split-horizon-poison-reverse"
>  disable: false
> passive: false
> accept-non-rip-requests: true
> accept-default-route: true
> advertise-default-route: true
>  route-timeout: 180
> deletion-delay: 120
> triggered-delay: 3
> triggered-jitter: 66
> update-interval: 30
> update-jitter: 16
>  request-interval: 30
> interpacket-delay: 50
> }
> }
> interface eth1 {
> address 192.168.1.1 {
>  metric: 1
> horizon: "split-horizon-poison-reverse"
> disable: false
> passive: false
> accept-non-rip-requests: true
>  accept-default-route: true
> advertise-default-route: true
> route-timeout: 180
> deletion-delay: 120
> triggered-delay: 3
>  triggered-jitter: 66
> update-interval: 30
> update-jitter: 16
> request-interval: 30
> interpacket-delay: 50
> }
>  }
> }
> }
> policy {
> }
> interfaces {
> restore: false
> loopback lo {
> description: ""
> address 192.168.2.1 {
>  prefix-length: 32
> disable: false
> }
> }
> ethernet eth0 {
> disable: false
> discard: false
> description: ""
>  hw-id: 00:1c:c0:0d:0c:85
> duplex: "auto"
> speed: "auto"
> address 192.168.10.45 {
> prefix-length: 24
>  disable: false
> }
> }
> ethernet eth1 {
> disable: false
> discard: false
> description: ""
> hw-id: 00:08:a1:83:b7:1e
>  duplex: "auto"
> speed: "auto"
> address 192.168.1.1 {
> prefix-length: 24
> disable: false
> }
>  }
> }
> service {
> nat {
> rule 10 {
> type: "destination"
> inbound-interface: "eth0"
> protocols: "tcp"
>  source {
> network: "0.0.0.0/0"
> }
> destination {
> address: "192.168.10.45"
>  port-number 81
> }
> inside-address {
> address: 192.168.1.244
> port-number: 80
> }
>  }
> rule 1000 {
> type: "masquerade"
> outbound-interface: "eth0"
> source {
> network: "192.168.1.0/24"
>  }
> destination {
> network: "0.0.0.0/0"
> }
> }
> }
> ssh {
> port: 22
>  protocol-version: "v2"
> }
> webgui {
> http-port: 80
> https-port: 443
> }
> }
> system {
> host-name: "vyatta"
> domain-name: ""
>  name-server 202.56.250.6
> time-zone: "GMT"
> ntp-server "69.59.150.135"
> gateway-address: 192.168.10.2
>  login {
> user root {
> full-name: ""
> authentication {
> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
> }
>  }
> user vyatta {
> full-name: ""
> authentication {
> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
> }
>  

Re: [Vyatta-users] Unable to login, solved by reboot

[Justin Fletcher]

As you can see, nothing jumps out in the log.  A detailed search may
turn up more information; otherwise, at least you've got a work-around
:-)

Justin

On Jan 29, 2008 2:48 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote:
> Log result attached.
> I managed to login if I changed the passwords for my "troubled users".
> Somethimes the encrypted-password didn't get encrypted.
>
>
> 2008/1/29, Justin Fletcher <[EMAIL PROTECTED]>:
>
> > Give "show log | match ERROR" a try.
> >
> > Justin
> >
> > On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > > I have this problem again. Now i was able to login to a user account I
> > > created, but unable to view logfiles since im in xorpsh.
> > >
> > > 2008/1/28, Justin Fletcher <[EMAIL PROTECTED]>:
> > >
> > > > Anything untoward in the log files?
> > > >
> > > > Justin
> > > >
> > > > On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> > > wrote:
> > > > > Today I had a wierd experience with Vyatta.
> > > > > I was unable to login on any account. Did a reboot, then everything
> was
> > > > > normal.
> > > > > What is going on?
> > > > >
> > > > > ___
> > > > > Vyatta-users mailing list
> > > > > Vyatta-users@mailman.vyatta.com
> > > > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Unable to login, solved by reboot

[Justin Fletcher]

Give "show log | match ERROR" a try.

Justin

On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote:
> I have this problem again. Now i was able to login to a user account I
> created, but unable to view logfiles since im in xorpsh.
>
> 2008/1/28, Justin Fletcher <[EMAIL PROTECTED]>:
>
> > Anything untoward in the log files?
> >
> > Justin
> >
> > On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > > Today I had a wierd experience with Vyatta.
> > > I was unable to login on any account. Did a reboot, then everything was
> > > normal.
> > > What is going on?
> > >
> > > ___
> > > Vyatta-users mailing list
> > > Vyatta-users@mailman.vyatta.com
> > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > >
> > >
> >
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall: block internal telnet

[Justin Fletcher]

See the Vyatta docs at http://www.vyatta.com/documentation/index.php; there
are examples in the firewall chapters.

Best,
Justin

On Jan 29, 2008 12:17 PM, Go Wow <[EMAIL PROTECTED]> wrote:
> okay thanks for replies.
>
> People help with this please, how can I block ssh on router i.e.
> 192.168.10.45 using firewall, I want to give access of ssh to say only ip
> xxx.xxx.xxx.xxx
>
> On 30/01/2008, Beau Walker <[EMAIL PROTECTED]> wrote:
> >
> >
> > You'll want to ask the List that. I could only answer your last question
> because the answer wasn't specific to Vyatta.
> >
> >
> > Beau Walker - CCNA, Linux+
> >
> >
> >
> > 
>  From: Go Wow [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, January 29, 2008 3:10 PM
> > To: Beau Walker
> > Subject: Re: [Vyatta-users] Firewall: block internal telnet
> >
> >
> > Okay how can I block ssh on router i.e. 192.168.10.45 using firewall, I
> want to give access of ssh to say only ip xxx.xxx.xxx.xxx
>
>
>
> --
> Those that make the rule don't play the game!!
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[Justin Fletcher]

>  5. any help on the CLI regardless of level show  bash options vrs th vyatta
> engine options.
>  (confusing to say the least )

If you're logged in as root, you'll get Unix commands listed as well
as Vyatta commands
during tab completion/help.  However, if you're an admin level user, you'll just
see the Vyatta command set.  You can still issue Unix commands; you'll just need
to enter them directly.

Justin
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] just two more questions for today... :D

[Justin Fletcher]

I think we covered port forwarding :-)

The Vyatta sides of the VPN will be the same; configuring the other
end of the VPN client will be up to you for a site-to-site tunnel.

Undocumented now, but actually in Glendale Alpha 1 is remote client
VPN which works with Windows l2tp.  It's under VPN configuration as well.
Give it a go if you're connecting with Windows.

For a list, see http://www.vyatta.com/twiki/bin/view/Community/TopEnhancements.
Find something you'd like to have yourself, make sure it's not already in
Glendale :-) and work from the Glendale source base.

Glendale is a VERY different CLI than previous releases; it makes adding new
features much simpler once you're used to the new CLI template structure.

Best,
Justin

On Jan 28, 2008 2:32 PM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> I just made a script to load a firewall with iptables.
> I know iptables so until the bug gets fixed I'll just
> do it that way.  I do have two more questions though.
>
> 1). How do I setup 'port-forwarding'.  So when you go
> through port 80 from the wan it sends it to some ip on
> the internal network at port 80?  Do I do this with NAT?
>
> 2). Is there any easy guides on setting up a vpn?  Not a vpn
> like a cisco router to the vyatta router because I found those
> guides, but just a vpn that I can access from work or on any
> computer providing the have an ipsec client?
>
> Is there a list of things you guys want made for Vyatta or a
> project site somewhere?  I'm always looking for things to do in
> my off time.
>
> Nate
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Starting to get really frustrated... GRRR :D

[Justin Fletcher]

Here's what I use to port-forward ssh; just adjust for address (where
destination address is the public IP) and change it to http.

rule 2 {
type: "destination"
inbound-interface: "eth0"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 1.2.3.4
port-name ssh
}
inside-address {
address: 10.0.0.30
}
}

Best,
Justin


On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> Can someone please help me get this worked out?
> Nate
>
>
> > Ok these are my nat rules now, I didn't see a command to change the rule
> > numbers so i just redid them all by hand.  It still doesn't work.
> >
> >  rule 1 {
> > type: "destination"
> > inbound-interface: "eth0"
> > protocols: "tcp"
> > destination {
> > address: "71.62.193.105"
> > port-name http
> > }
> > inside-address {
> > address: 192.168.0.105
> > }
> > }
> > rule 2 {
> > type: "masquerade"
> > outbound-interface: "eth0"
> > protocols: "all"
> > source {
> > network: "192.168.0.0/24"
> > }
> > destination {
> > network: "0.0.0.0/0"
> > }
> > }
> > rule 3 {
> > type: "masquerade"
> > outbound-interface: "eth0"
> > protocols: "all"
> > source {
> > network: "192.168.1.0/24"
> > }
> > destination {
> > network: "0.0.0.0/0"
> > }
> > }
> >
> > Nate
> >
> > On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> > > Hi Nate,
> > >
> > > The "inside-address" is the internal (private) IP address of your Web 
> > > server, which in your case is 192.168.0.105. The "destination address" 
> > > should actually be the public IP address that outside clients will use to 
> > > access your server, so usually this is the public IP address of your 
> > > router.
> > >
> > > An-Cheng
> > >
> > > Nathan McBride wrote:
> > > > I went and looked at the old docs.  I thought I set them up correctly
> > > > but aparently I didn't.  I'll im trying to do is to get people on the
> > > > internet to view the website on my comp (192.168.0.105).  The only
> > > > difference that i noticed when I tried to commit the example in the old
> > > > docs was that vc3 requires an 'inside-address'.  Could someone please
> > > > help me correct this to get it working?
> > > >
> > > > rule 3 {
> > > > type: "destination"
> > > > inbound-interface: "eth0"
> > > > protocols: "tcp"
> > > > destination {
> > > > address: "192.168.0.105"
> > > > port-name http
> > > > }
> > > > inside-address {
> > > > address: 192.168.0.105 <-- didn't know what to put here
> > > > exactly...
> > > > }
> > > > }
> > > >
> >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Weird Routing problem on VC2

[Justin Fletcher]

Personally, I'd try Alpha 1.  It'll need more polishing and features
to add (which
is why it's an alpha) but there are major improvements with the
routing protocols.
Check the Glendale bug list, and see if you'd be affected by any of these first
(like no GUI yet).

Also note that you're existing configuration won't be preserved on ISO
install which
means you'll have to re-enter it, and there have been major changes to
CLI syntax -
even to how you configure an interface (from address prefix-length CML to
address/CML).  However, VPN, firewall, NAT, clustering, and serial
commands should
be the same, so you CAN copy an old configuration back and edit it -
it's just that
there will be a lot of iterations of loading the configuration to
identify and adjust
configuration changes.

Justin

On Jan 28, 2008 7:08 PM, Daren Tay <[EMAIL PROTECTED]> wrote:
> Hi Justin,
>
> embarassingly so man... haha.
>
> So there are issues with routing after link failures huh.. yep.. we are
> looking to upgrade to VC3 once the new box is in... but to use Alpha 1? Is
> it advisable? It will be for production use.
>
> I need to use the router to handle 2 different WAN connection for 2 separate
> NAT networks.
>
> Daren
>
> -Original Message-
> From: Justin Fletcher [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 29, 2008 12:18 AM
> To: Daren Tay
>
> Cc: Robert Bays; Vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Weird Routing problem on VC2
>
>
> Glad you got that figured out - many pieces in play!
>
> Yes, there have been issues with the routing protocols with link failure; a
> search in the bug database will turn up a number of issues.  I'd strongly
> suggest that you look into upgrading to VC3 and check out Glendale Alpha 1.
>
> Best,
> Justin
>
> On Jan 27, 2008 7:03 PM, Daren Tay <[EMAIL PROTECTED]> wrote:
> > Hi all,
> >
> > finally resolved the 1st problem (cannot detect newly inserted web
> machine):
> > end up it was a changed in config in the firewall that caused the
> > situation... my guys changed it without informing me but still, many
> > apologies for the false alarm. My bad.
> >
> > secondly though, the problem still stands. when i plug out the network
> > cables from the router, and insert back in, everything fails.. the router
> > will fail to route. I will need to reset the server for it to work again.
> > For now, we are waiting for a new box to arrive before using VC2.2 and
> > hopefully that resolves the issues, but wonder if it is a bug.. or a badly
> > configure option somewhere?
> >
> > is this the arp cache you are talking about?
> > router:~# arp
> > Address  HWtype  HWaddress   Flags Mask
> > Iface
> >ether   00:0C:DB:2B:AB:68   C
> > eth0
> > 192.168.3.1  ether   00:1B:0C:30:B4:80   C
> > eth1
> >
> > Thanks for your patience guys :)
> > Daren
> >
> > -Original Message-
> > From: Robert Bays [mailto:[EMAIL PROTECTED]
> > Sent: Monday, January 28, 2008 9:32 AM
> > To: Daren Tay
> >
> > Cc: Justin Fletcher; Vyatta-users@mailman.vyatta.com
> > Subject: Re: [Vyatta-users] Weird Routing problem on VC2
> >
> >
> > Daren,
> >
> > Sounds like the router still can't find the new host.  What does you arp
> > cache say for 192.168.1.13 after you try to ping it?  What does your
> > routing table look like?
> >
> > cheers,
> > robert.
> >
> > Daren Tay wrote:
> > > Nope, it was 'pingable' before.
> > > I can still ping the other web servers connected to it... but the newly
> > > added one I can't.
> > > Yet I am able to route out to the public network from the new box...
> > >
> > > -Original Message-
> > > From: Justin Fletcher [mailto:[EMAIL PROTECTED]
> > > Sent: Friday, January 25, 2008 3:16 PM
> > > To: Daren Tay
> > > Cc: Vyatta-users@mailman.vyatta.com
> > > Subject: Re: [Vyatta-users] Weird Routing problem on VC2
> > >
> > >
> > > Does the load balancer have ICMP disabled?  That'd certainly explain
> > > that, unless
> > > you were able to ping it before --
> > >
> > > Since you have the load balancer between the router, I suspect it's a
> > > load balancer issue.
> > >
> > > You can see what's going on by running tshark/tcpdump on the interface,
> > and
> > > see
> > > what's on the wire.  If you can examine the traffic between the load
> > 

Re: [Vyatta-users] Does vyatta read all iptables rules ?

[Justin Fletcher]

It'll just work the other way to translate the Vyatta CLI into
iptables.  It's not the other direction (but if you'd like to write a
translator, I'm sure it'd be appreciated!)

Justin

On Jan 28, 2008 1:44 PM, Go Wow <[EMAIL PROTECTED]> wrote:
> hey
>
>  I want to create a rule with iptables, I want to know if I create a rule in
> root shell not vyatta shell using iptables command (offcourse lol) so does
> vyatta reads it and adds it to its service>>nat>> rules ?
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Weird Routing problem on VC2

[Justin Fletcher]

Glad you got that figured out - many pieces in play!

Yes, there have been issues with the routing protocols with link failure; a
search in the bug database will turn up a number of issues.  I'd strongly
suggest that you look into upgrading to VC3 and check out Glendale Alpha 1.

Best,
Justin

On Jan 27, 2008 7:03 PM, Daren Tay <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> finally resolved the 1st problem (cannot detect newly inserted web machine):
> end up it was a changed in config in the firewall that caused the
> situation... my guys changed it without informing me but still, many
> apologies for the false alarm. My bad.
>
> secondly though, the problem still stands. when i plug out the network
> cables from the router, and insert back in, everything fails.. the router
> will fail to route. I will need to reset the server for it to work again.
> For now, we are waiting for a new box to arrive before using VC2.2 and
> hopefully that resolves the issues, but wonder if it is a bug.. or a badly
> configure option somewhere?
>
> is this the arp cache you are talking about?
> router:~# arp
> Address  HWtype  HWaddress   Flags Mask
> Iface
>ether   00:0C:DB:2B:AB:68   C
> eth0
> 192.168.3.1  ether   00:1B:0C:30:B4:80   C
> eth1
>
> Thanks for your patience guys :)
> Daren
>
> -Original Message-
> From: Robert Bays [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 28, 2008 9:32 AM
> To: Daren Tay
>
> Cc: Justin Fletcher; Vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Weird Routing problem on VC2
>
>
> Daren,
>
> Sounds like the router still can't find the new host.  What does you arp
> cache say for 192.168.1.13 after you try to ping it?  What does your
> routing table look like?
>
> cheers,
> robert.
>
> Daren Tay wrote:
> > Nope, it was 'pingable' before.
> > I can still ping the other web servers connected to it... but the newly
> > added one I can't.
> > Yet I am able to route out to the public network from the new box...
> >
> > -Original Message-
> > From: Justin Fletcher [mailto:[EMAIL PROTECTED]
> > Sent: Friday, January 25, 2008 3:16 PM
> > To: Daren Tay
> > Cc: Vyatta-users@mailman.vyatta.com
> > Subject: Re: [Vyatta-users] Weird Routing problem on VC2
> >
> >
> > Does the load balancer have ICMP disabled?  That'd certainly explain
> > that, unless
> > you were able to ping it before --
> >
> > Since you have the load balancer between the router, I suspect it's a
> > load balancer issue.
> >
> > You can see what's going on by running tshark/tcpdump on the interface,
> and
> > see
> > what's on the wire.  If you can examine the traffic between the load
> > balancer and the
> > servers, you'll learn more :-)
> >
> > Justin
> >
> > On Jan 24, 2008 10:40 PM, Daren Tay <[EMAIL PROTECTED]> wrote:
> >> Hi guys,
> >>
> >> anyone?
> >>
> >> Thanks,
> >> Daren
> >>
> >>
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] Behalf Of Daren Tay
> >> Sent: Wednesday, January 23, 2008 6:29 PM
> >> To: Vyatta-users@mailman.vyatta.com
> >> Subject: [Vyatta-users] Weird Routing problem on VC2
> >>
> >>
> >> Hi guys
> >>
> >> I have this queer problem.
> >>
> >> My setup with Vyatta is like this
> >>
> >>
> >> Internet --- Firewall --- Vyatta Router --- Load Balancer  03 x Web
> >> Servers
> >> |
> >> |
> >>  staging server
> >>
> >>
> >> As you can see, the router seats in front of the load balancer.
> >> First... generally whenever I plug out the network cable from the router,
> >> and insert it back later, everything will fail to route.
> >> Its as if the route table cannot get the new info on its own.. I have to
> >> reset the box to get back the settings.
> >>
> >> secondly, I just add another webserver to the cluster (3rd one).
> >> Interestingly, after adding it, I can't ping the new server nor ssh it
> > from
> >> the router. In fact, from the router, I can't ping the load balancer. But
> > I
> >> can ping the existing 2 web servers perfectly. The entire website is
> sti

Re: [Vyatta-users] Firewall question.

[Justin Fletcher]

You shouldn't need the out rule; until a firewall is applied,
everything is accepted.
However, the simple rule is protocol any action accept.  That should
do it if you
want to be thorough :-)

Justin

On Jan 28, 2008 7:28 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> Hey guys,
>
> I just installed Vyatta and have it working. (big step for me)
> But I'm having some trouble.  I first wanted to know if I should
> make the firewall using Vyatta's commands or just iptables?
> I tried iptables and it didn't seem to work. I added a rule to allow ssh
> but ssh couldn'g go through.  So then I made one in Vyatta.  Denied
> ping, enabled ssh, then applied it to the wan interface.  Well that
> killed all network traffic so looking through the manual I saw that when
> I applied the IN rule for the interface I guess the out rule
> automatically got a deny everything since I didn't apply a rule to it.
> So, I needed to add a related and established rule to the in for the wan
> interface.  I did (this is from memory):
>
> set firewall name eth0-in rule 1 action accept
> set firewall name eth0-in rule 1 state established enable
> set firewall name eth0-in rule 1 state related enable
>
> Then I was going to commit this but commit gave an error saying that
> protocol needed to be icmp.  Once I had set that it errored saying
> protocol needed to be tcp...  I'm really confused but I need to get a
> firewall up.
>
> Once this is done I was going make a rule for out on the wan interface
> to allow everything to go out.  Is there a simple rule for this?
>
> Thanks,
> Nate
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Unable to login, solved by reboot

[Justin Fletcher]

Anything untoward in the log files?

Justin

On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote:
> Today I had a wierd experience with Vyatta.
> I was unable to login on any account. Did a reboot, then everything was
> normal.
> What is going on?
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] E-mail only

[Justin Fletcher]

You'll find good firewall documentation and examples at
http://www.vyatta.com/documentation/index.php.

Best,
Justin

On Jan 27, 2008 10:38 PM, Erwin kobe Tolentino <[EMAIL PROTECTED]> wrote:
> i want to to setup my vyatta as a router and firewall
> i configured already the vyatta router but i want to control the internet in
> my LAN.
> i want to configure as email only!!! like OUTLOOK EXPRESS
>
> anyone can help me!!
>
> my configuration is this
>
> interfaces
> ethernet eth0
>   address 192.168.100.11
>  prefix-length 24
> ethernet eth1
>   address 10.10.10.1
>  prefix-length 24
> firewall name fwall
>
> nat
>   rule 1
>type masquerade
>   outbound-interface eth0
>   protocol all
>
> firewall
> name fwall
>action accept
>distination network 10.10.10.0/24
>
>
>  
> Looking for last minute shopping deals? Find them fast with Yahoo! Search.
>
>  
> Never miss a thing. Make Yahoo your homepage.
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] VPN: clients to router configuration

[Justin Fletcher]

Yes, assuming they're Linux systems.

Best,
Justin

On Jan 27, 2008 10:08 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote:
> OK, I did a test with that earlier today but got unsure if it was correct.
> So my clients can use openswan then?
>
>
>
> 2008/1/27, Justin Fletcher <[EMAIL PROTECTED]>:
> > Set up another site-to-site tunnel with the peer as 0.0.0.0; that'll
> > allow anyone to connect that's authenticated.
> >
> > You'll then need to set up your clients to connect using IPsec.
> >
> > Justin
> >
> > On Jan 27, 2008 9:42 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > >
> > > Ok, I have a site-to-site up and runing between my Vyatta and a Netgear
> > > FVS338 VPN/Firewall box.
> > >
> > > I also have several road warriors that need access to a LAN behind the
> > > Netgear box, so I want them to connect to the Vyatta router (because
> it's to
> > > hard make a client connect to the netgear box). I think this is like a
> "hub
> > > and spoke" setup.
> > >
> > > I am not using Glendale.
> > >
> > >
> > >
> > > 2008/1/27, Justin Fletcher <[EMAIL PROTECTED]>:
> > >
> > > > A few questions - are you terminating the VPN on the Vyatta router?
> > > > Is it site-to-site,
> > > > or are you running Glendale alpha and trying out the remote access
> > > > VPN?  Or is the VPN a separate system?
> > > >
> > > > If it's site-to-site, just set up an Openswan connection.
> > > > If it's remote access, see http://stuff.pulkes.org/l2tp/ as an option.
> > > > Otherwise, the Vyatta router should just forward traffic --
> > > >
> > > > Best,
> > > > Justin
> > > >
> > > > On Jan 27, 2008 7:56 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> > > wrote:
> > > > > Hi all
> > > > >
> > > > > I am looking for information on how to setup my Vyatta router so
> clients
> > > > > using Linux can get access to our VPN.
> > > > >
> > > > > Any help is appreciated!
> > > > >
> > > > >
> > > > >
> > > > > ___
> > > > > Vyatta-users mailing list
> > > > > Vyatta-users@mailman.vyatta.com
> > > > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > > > >
> > > > >
> > > >
> > >
> > >
> > > ___
> > > Vyatta-users mailing list
> > > Vyatta-users@mailman.vyatta.com
> > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > >
> > >
> >
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] VPN: clients to router configuration

[Justin Fletcher]

Set up another site-to-site tunnel with the peer as 0.0.0.0; that'll
allow anyone to connect that's authenticated.

You'll then need to set up your clients to connect using IPsec.

Justin

On Jan 27, 2008 9:42 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote:
>
> Ok, I have a site-to-site up and runing between my Vyatta and a Netgear
> FVS338 VPN/Firewall box.
>
> I also have several road warriors that need access to a LAN behind the
> Netgear box, so I want them to connect to the Vyatta router (because it's to
> hard make a client connect to the netgear box). I think this is like a "hub
> and spoke" setup.
>
> I am not using Glendale.
>
>
>
> 2008/1/27, Justin Fletcher <[EMAIL PROTECTED]>:
>
> > A few questions - are you terminating the VPN on the Vyatta router?
> > Is it site-to-site,
> > or are you running Glendale alpha and trying out the remote access
> > VPN?  Or is the VPN a separate system?
> >
> > If it's site-to-site, just set up an Openswan connection.
> > If it's remote access, see http://stuff.pulkes.org/l2tp/ as an option.
> > Otherwise, the Vyatta router should just forward traffic --
> >
> > Best,
> > Justin
> >
> > On Jan 27, 2008 7:56 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > > Hi all
> > >
> > > I am looking for information on how to setup my Vyatta router so clients
> > > using Linux can get access to our VPN.
> > >
> > > Any help is appreciated!
> > >
> > >
> > >
> > > ___
> > > Vyatta-users mailing list
> > > Vyatta-users@mailman.vyatta.com
> > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > >
> > >
> >
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] VPN: clients to router configuration

[Justin Fletcher]

A few questions - are you terminating the VPN on the Vyatta router?
Is it site-to-site,
or are you running Glendale alpha and trying out the remote access
VPN?  Or is the VPN a separate system?

If it's site-to-site, just set up an Openswan connection.
If it's remote access, see http://stuff.pulkes.org/l2tp/ as an option.
Otherwise, the Vyatta router should just forward traffic --

Best,
Justin

On Jan 27, 2008 7:56 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote:
> Hi all
>
> I am looking for information on how to setup my Vyatta router so clients
> using Linux can get access to our VPN.
>
> Any help is appreciated!
>
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Weird Routing problem on VC2

[Justin Fletcher]

Does the load balancer have ICMP disabled?  That'd certainly explain
that, unless
you were able to ping it before --

Since you have the load balancer between the router, I suspect it's a
load balancer issue.

You can see what's going on by running tshark/tcpdump on the interface, and see
what's on the wire.  If you can examine the traffic between the load
balancer and the
servers, you'll learn more :-)

Justin

On Jan 24, 2008 10:40 PM, Daren Tay <[EMAIL PROTECTED]> wrote:
> Hi guys,
>
> anyone?
>
> Thanks,
> Daren
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Daren Tay
> Sent: Wednesday, January 23, 2008 6:29 PM
> To: Vyatta-users@mailman.vyatta.com
> Subject: [Vyatta-users] Weird Routing problem on VC2
>
>
> Hi guys
>
> I have this queer problem.
>
> My setup with Vyatta is like this
>
>
> Internet --- Firewall --- Vyatta Router --- Load Balancer  03 x Web
> Servers
> |
> |
>  staging server
>
>
> As you can see, the router seats in front of the load balancer.
> First... generally whenever I plug out the network cable from the router,
> and insert it back later, everything will fail to route.
> Its as if the route table cannot get the new info on its own.. I have to
> reset the box to get back the settings.
>
> secondly, I just add another webserver to the cluster (3rd one).
> Interestingly, after adding it, I can't ping the new server nor ssh it from
> the router. In fact, from the router, I can't ping the load balancer. But I
> can ping the existing 2 web servers perfectly. The entire website is still
> running.
>
> I suspect its something to do with the routing ... is there any bug with VC2
> on this?
>
> Would appreciate some pointers :)
> Many thanks!
> Daren
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] DHCP

[Justin Fletcher]

What are the destination addresses that are being forwarded?

Broadcasts shouldn't be forwarded, but the router needs to know that they're
broadcast addresses.  It'll only recognize 10.1.255.255 and 10.2.255.255 as
broadcast addresses.  If a system is sending requests to, say, 10.1.12.255
where a system is set up as a /24, that address is recognized as a perfectly
valid address and will be forwarded.

Justin

On Jan 22, 2008 1:01 PM,  <[EMAIL PROTECTED]> wrote:
>
> I've set up a very basic router with only two interfaces: eth0 is my
> 10.1.0.0 subnet and eth1 is my 10.2.0.0 subnet. The router's default gateway
> is my Internet router.  The subnets are in different buildings on our campus
> connected via a wireless link.  I use them mainly in conjunction with
> Windows Server 2003 sites to control replication of the of the Active
> Directory and the Distributed File System set up for user home folders.
> Internet access, internal routing between my two subnets, and replication of
> the AD and DFS work fine.
>
> My problem is that dhcp request broadcasts are being forwarded to the
> 10.2.0.0 subnet from the 10.1.0.0 subnet.  Each subnet has its own dhcp
> server (implemented on 2003 machines not the router).  Hosts that should
> receive 10.1.x.x addresses are receiving 10.2.x.x addresses.  dhcp
> forwarding is not configured on the router.  My understanding from the
> documentation is that the router should automatically block broadcasts.  I
> would appreciate any help in discovering what I'm missing.   Below is my
> configuration.
>
> Thanks,
> Robert
>
> protocols {
> }
> policy {
> }
> interfaces {
> restore: false
> loopback lo {
> description: ""
> }
> ethernet eth0 {
> disable: false
> discard: false
> description: ""
> hw-id: 00:d0:b7:92:50:b7
> duplex: "auto"
> speed: "auto"
> address 10.1.0.253 {
> prefix-length: 16
> disable: false
> }
> }
> ethernet eth1 {
> disable: false
> discard: false
> description: ""
> hw-id: 00:d0:b7:92:9a:ab
> duplex: "auto"
> speed: "auto"
> address 10.2.0.1 {
> prefix-length: 16
> disable: false
> }
> }
> }
> service {
> webgui {
> http-port: 80
> https-port: 443
> }
> }
> firewall {
> log-martians: "enable"
> send-redirects: "disable"
> receive-redirects: "disable"
> ip-src-route: "disable"
> broadcast-ping: "disable"
> syn-cookies: "enable"
> }
> system {
> host-name: "HSRouter"
> domain-name: ""
> name-server 206.54.112.1
> time-zone: "Denver"
> ntp-server "69.59.150.135"
> gateway-address: 10.1.0.254
> login {
> user root {
> full-name: ""
> authentication {
> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
> }
> }
> user vyatta {
> full-name: ""
> authentication {
> encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
> }
> }
> }
> package {
> auto-sync: 1
> repository community {
> component: "main"
> url: "http://archive.vyatta.com/vyatta";
> }
> }
> }
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Emergency Config paste? How do you prepare?

[Justin Fletcher]

There are a couple of choices.  You can copy your configuration using
scp (it's /opt/vyatta/etc/config/config.boot) to another server.  From
a blank slate/system,
all you need to do is to configure an interface and a default gateway,
scp the configuration
back, and load the restored configuration.

You can also use ZipTie for configuration management; see http://www.ziptie.org.

Justin

On Jan 18, 2008 10:07 AM,  <[EMAIL PROTECTED]> wrote:
> All,
>
> Coming from a Cisco world, I could copy the config file to a tftp server and 
> once I have 1 interface open-- I could essentially paste in everything on a 
> blank router(or com port). This is helpful when I had to replace a failing 
> router with a backup one mid-day. How would I do the same with Vyatta? I was 
> thinking if I could SCP the config file and make it the config.boot file, I 
> could just do a reboot and it would all come back?
>
> Perhaps I'm a little confused on essentially doing a big 'paste' of all the 
> configs, particularly the firewall rules.
>
> If anyone else has some good backup strategies on vyatta router configs, 
> please share-- I'm a little new at this one.
>
> Thanks in advance,
>
> Aaron
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Waiting for xorp_rtrmgr...

[Justin Fletcher]

I was less than couple in my previous answer :-)

I'll point out that unlike other router vendors, the source code and
build instructions
are available to everyone. One of the real benefits of open source
means that bug
fixes are available as soon as they're entered into the source code.

You also have access to package updates which include the most recent changes,
including this bug fix; it's just not in a formal release.  See
http://www.vyatta.com/twiki/bin/view/Community/UnderstandingPackageArchives
for
details.

Best,
Justin

On Jan 18, 2008 5:36 AM, Shane McKinley <[EMAIL PROTECTED]> wrote:
> Is that how the Vyatta company operates? Leave bugs unpatched and hope
> someone will pay for support? It would seem to make more sense to hold
> features back instead of bugs.
>
> I am more than willing to pay for support, but I wanted to make sure the
> product would work for me first.
>
> I have a better idea -- Patch the bugs, and allow the software to be
> functional for the purpose it was created. Then we are talking.
>
> Unfortunately it seems Vyatta is unlikely an acceptable replacement for
> my Cisco 7500.
>
> So far I have ran into 3 detrimental issues and the routing bugs bring
> me just short of a dead end.
>
> 1. VRRP Limitations
> 2. Policy System Limitations
> 3. Routing Bugs
>
> I am still going to try to work around this issue, but maybe the Vyatta
> company can re-think the bug-fix-holding for monetary purposes
> philosophy.
>
> With all due respect,
>
> Shane McKinley
> Habersham EMC
>
> -Original Message-
> From: Justin Fletcher [mailto:[EMAIL PROTECTED]
>
> Sent: Thursday, January 17, 2008 9:01 PM
> To: Shane McKinley
> Cc: vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Waiting for xorp_rtrmgr...
>
> I think you've hit bug 2390: RIB: xorp_rib crashed after a static route
> with a nextop through an unxisted interface or a route being configured
> and committed
>
> See https://bugzilla.vyatta.com/show_bug.cgi?id=2390 ; it's fixed in the
> supported version.
>
> Best,
> Justin
>
> On Jan 17, 2008 5:19 PM, Shane McKinley <[EMAIL PROTECTED]> wrote:
> >
> >
> >
> > #1 - No, but I do have a static interface-route with XX.128.128.0/20 -
>
> > the actual interface is XX.128.128.0/24 -- the reason I have this is
> > for proper BGP exporting
> >  #2 - Invalid, my mistake
> >  #3 - Dido to #1
> >
> >  My interface-routes are last on my static routes list in the config
> > -- could this be the issue?
> >
> >  -Shane
> >
> >
> >
> >
> >  Are they all assigned to a system that's on a network that's directly
>
> > connected to the router?
> >
> >  On Jan 17, 2008 3:59 PM, Shane McKinley <[EMAIL PROTECTED]> wrote:
> >  >
> >  >
> >  >
> >  > None of these next-hop addresses are assigned to an interface on
> > the router.
> >  >
> >  >  Shane
> >  >
> >  >
> >  >  -Original Message-
> >  >  From: Justin Fletcher [mailto:[EMAIL PROTECTED]  >  Sent: Thu
> > 1/17/2008 6:46 PM  >  To: Shane McKinley  >  >  Cc:
> > vyatta-users@mailman.vyatta.com  >  Subject: Re: [Vyatta-users]
> > Waiting for xorp_rtrmgr...
> >  >
> >  >  Are the next hops directly connected?  There was an issue with  >
>
> > recursive route lookup --  >  >  On Jan 17, 2008 2:56 PM, Shane
> > McKinley <[EMAIL PROTECTED]> wrote:
> >  >  > I have found the static routes causing the issue:
> >  >  >
> >  >  > route XZ.85.142.64/26 {
> >  >  > next-hop: XX.128.129.18
> >  >  > metric: 1
> >  >  > }
> >  >  > route XX.128.136.216/29 {
> >  >  > next-hop: XZ.85.140.254
> >  >  > metric: 1
> >  >  > }
> >  >  > route XX.128.140.16/29 {
> >  >  > next-hop: XX.128.140.26
> >  >  > metric: 1
> >  >  > }
> >  >  >
> >  >  > Now, the question is why? How can I dig further to find out why
> > these  >  > are causing the rtrmgr to crash?
> >  >  >
> >  >  > Shane McKinley
> >  >  > Habersham EMC
> >  >  >
> >  >  > -Original Message-
> >  >  > From: Dave Roberts [mailto:[EMAIL PROTECTED]  >  > Sent:
> > Thursday, January 17, 2008 5:16 PM  >  >  >  > To: Shane McKinley;
> > vyatta-users@mailman.vya

Re: [Vyatta-users] Waiting for xorp_rtrmgr...

[Justin Fletcher]

I think you've hit bug 2390: RIB: xorp_rib crashed after a static
route with a nextop through an unxisted interface or a route being
configured and committed

See https://bugzilla.vyatta.com/show_bug.cgi?id=2390 ; it's fixed in
the supported version.

Best,
Justin

On Jan 17, 2008 5:19 PM, Shane McKinley <[EMAIL PROTECTED]> wrote:
>
>
>
> #1 - No, but I do have a static interface-route with XX.128.128.0/20 - the
> actual interface is XX.128.128.0/24 -- the reason I have this is for proper
> BGP exporting
>  #2 - Invalid, my mistake
>  #3 - Dido to #1
>
>  My interface-routes are last on my static routes list in the config --
> could this be the issue?
>
>  -Shane
>
>
>
>
>  Are they all assigned to a system that's on a network that's directly
>  connected to the router?
>
>  On Jan 17, 2008 3:59 PM, Shane McKinley <[EMAIL PROTECTED]> wrote:
>  >
>  >
>  >
>  > None of these next-hop addresses are assigned to an interface on the
> router.
>  >
>  >  Shane
>  >
>  >
>  >  -Original Message-
>  >  From: Justin Fletcher [mailto:[EMAIL PROTECTED]
>  >  Sent: Thu 1/17/2008 6:46 PM
>  >  To: Shane McKinley
>  >
>  >  Cc: vyatta-users@mailman.vyatta.com
>  >  Subject: Re: [Vyatta-users] Waiting for xorp_rtrmgr...
>  >
>  >  Are the next hops directly connected?  There was an issue with
>  >  recursive route lookup --
>  >
>  >  On Jan 17, 2008 2:56 PM, Shane McKinley <[EMAIL PROTECTED]> wrote:
>  >  > I have found the static routes causing the issue:
>  >  >
>  >  > route XZ.85.142.64/26 {
>  >  > next-hop: XX.128.129.18
>  >  > metric: 1
>  >  > }
>  >  > route XX.128.136.216/29 {
>  >  > next-hop: XZ.85.140.254
>  >  > metric: 1
>  >  > }
>  >  > route XX.128.140.16/29 {
>  >  > next-hop: XX.128.140.26
>  >  > metric: 1
>  >  > }
>  >  >
>  >  > Now, the question is why? How can I dig further to find out why these
>  >  > are causing the rtrmgr to crash?
>  >  >
>  >  > Shane McKinley
>  >  > Habersham EMC
>  >  >
>  >  > -Original Message-
>  >  > From: Dave Roberts [mailto:[EMAIL PROTECTED]
>  >  > Sent: Thursday, January 17, 2008 5:16 PM
>  >  >
>  >  > To: Shane McKinley; vyatta-users@mailman.vyatta.com
>  >  > Subject: RE: [Vyatta-users] Waiting for xorp_rtrmgr...
>  >  >
>  >  > > (SIDE NOTE: (No offense meant) Why should changing interface
> notations
>  >  >
>  >  > > and static routes cause anything to crash?)
>  >  >
>  >  > It shouldn't. That's one of the big things we're fixing in Glendale.
> The
>  >  > Routermanager process did not handle errors well at all. It has been
>  >  > eliminated entirely in Glendale.
>  >  >
>  >  > -- Dave
>  >  >
>  >  > ___
>  >  > Vyatta-users mailing list
>  >  > Vyatta-users@mailman.vyatta.com
>  >  > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>  >  >
>  >
>  >
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] vmware server and live CD

[Justin Fletcher]

Can you provide just a bit more information?

Justin

On Jan 17, 2008 4:41 PM, Rick Mitchell <[EMAIL PROTECTED]> wrote:
> I cannot get the live cd to successfully boot up it tries to but
> fails any suggestions
>
> --
> Rick Mitchell
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Waiting for xorp_rtrmgr...

[Justin Fletcher]

Are they all assigned to a system that's on a network that's directly
connected to the router?

On Jan 17, 2008 3:59 PM, Shane McKinley <[EMAIL PROTECTED]> wrote:
>
>
>
> None of these next-hop addresses are assigned to an interface on the router.
>
>  Shane
>
>
>  -Original Message-
>  From: Justin Fletcher [mailto:[EMAIL PROTECTED]
>  Sent: Thu 1/17/2008 6:46 PM
>  To: Shane McKinley
>
>  Cc: vyatta-users@mailman.vyatta.com
>  Subject: Re: [Vyatta-users] Waiting for xorp_rtrmgr...
>
>  Are the next hops directly connected?  There was an issue with
>  recursive route lookup --
>
>  On Jan 17, 2008 2:56 PM, Shane McKinley <[EMAIL PROTECTED]> wrote:
>  > I have found the static routes causing the issue:
>  >
>  > route XZ.85.142.64/26 {
>  > next-hop: XX.128.129.18
>  > metric: 1
>  > }
>  > route XX.128.136.216/29 {
>  > next-hop: XZ.85.140.254
>  > metric: 1
>  > }
>  > route XX.128.140.16/29 {
>  > next-hop: XX.128.140.26
>  > metric: 1
>  > }
>  >
>  > Now, the question is why? How can I dig further to find out why these
>  > are causing the rtrmgr to crash?
>  >
>  > Shane McKinley
>  > Habersham EMC
>  >
>  > -Original Message-
>  > From: Dave Roberts [mailto:[EMAIL PROTECTED]
>  > Sent: Thursday, January 17, 2008 5:16 PM
>  >
>  > To: Shane McKinley; vyatta-users@mailman.vyatta.com
>  > Subject: RE: [Vyatta-users] Waiting for xorp_rtrmgr...
>  >
>  > > (SIDE NOTE: (No offense meant) Why should changing interface notations
>  >
>  > > and static routes cause anything to crash?)
>  >
>  > It shouldn't. That's one of the big things we're fixing in Glendale. The
>  > Routermanager process did not handle errors well at all. It has been
>  > eliminated entirely in Glendale.
>  >
>  > -- Dave
>  >
>  > ___
>  > Vyatta-users mailing list
>  > Vyatta-users@mailman.vyatta.com
>  > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>  >
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Waiting for xorp_rtrmgr...

[Justin Fletcher]

Are the next hops directly connected?  There was an issue with
recursive route lookup --

On Jan 17, 2008 2:56 PM, Shane McKinley <[EMAIL PROTECTED]> wrote:
> I have found the static routes causing the issue:
>
> route XZ.85.142.64/26 {
> next-hop: XX.128.129.18
> metric: 1
> }
> route XX.128.136.216/29 {
> next-hop: XZ.85.140.254
> metric: 1
> }
> route XX.128.140.16/29 {
> next-hop: XX.128.140.26
> metric: 1
> }
>
> Now, the question is why? How can I dig further to find out why these
> are causing the rtrmgr to crash?
>
> Shane McKinley
> Habersham EMC
>
> -Original Message-
> From: Dave Roberts [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 17, 2008 5:16 PM
>
> To: Shane McKinley; vyatta-users@mailman.vyatta.com
> Subject: RE: [Vyatta-users] Waiting for xorp_rtrmgr...
>
> > (SIDE NOTE: (No offense meant) Why should changing interface notations
>
> > and static routes cause anything to crash?)
>
> It shouldn't. That's one of the big things we're fixing in Glendale. The
> Routermanager process did not handle errors well at all. It has been
> eliminated entirely in Glendale.
>
> -- Dave
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Waiting for xorp_rtrmgr...

[Justin Fletcher]

_fea: [ 2008/01/17 16:35:11 WARNING
> xorp_fea FEA ] Got update for address no in libfeaclient tree:
> eth1/eth1/66.128.135.1
> Jan 17 16:35:12 localhost xorp_fea: [ 2008/01/17 16:35:11 WARNING
> xorp_fea FEA ] Got update for address no in libfeaclient tree:
> eth1/eth1/66.128.139.1
> Jan 17 16:35:12 localhost xorp_fea: [ 2008/01/17 16:35:11 WARNING
> xorp_fea FEA ] Got update for interface not in libfeaclient tree: lo
> Jan 17 16:35:12 localhost xorp_fea: [ 2008/01/17 16:35:11 WARNING
> xorp_fea FEA ] Got update for vif not in libfeaclient tree: lo/lo
> Jan 17 16:35:12 localhost xorp_fea: [ 2008/01/17 16:35:11 WARNING
> xorp_fea FEA ] Got update for address no in libfeaclient tree:
> lo/lo/63.69.63.6
> Jan 17 16:35:20 localhost xorp_rib: [ 2008/01/17 16:35:19 WARNING
> xorp_rib LIBFEACLIENT ] NetlinkHead::io_event(), iface is empty
> Jan 17 16:35:20 localhost xorp_rib: [ 2008/01/17 16:35:19 WARNING
> xorp_rib LIBFEACLIENT ] NetlinkHead::io_event(), iface is empty
> Jan 17 16:35:40 localhost xorp_static_routes: [ 2008/01/17 16:35:39
> WARNING xorp_static_routes LIBFEACLIENT ] NetlinkHead::io_event(), iface
> is empty
> Jan 17 16:35:40 localhost xorp_static_routes: [ 2008/01/17 16:35:39
> WARNING xorp_static_routes LIBFEACLIENT ] NetlinkHead::io_event(), iface
> is empty
> Jan 17 16:35:49 localhost xorp_bgp: [ 2008/01/17 16:35:48  WARNING
> xorp_bgp:6466 LIBFEACLIENT +193
> /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/libfeaclient
> /netlink_head.cc io_event ] NetlinkHead::io_event(), iface is empty
> Jan 17 16:35:49 localhost xorp_bgp: [ 2008/01/17 16:35:49  WARNING
> xorp_bgp:6466 LIBFEACLIENT +193
> /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/libfeaclient
> /netlink_head.cc io_event ] NetlinkHead::io_event(), iface is empty
> Jan 17 16:35:55 localhost snmpd: [ 2008/01/17 16:35:54 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 29.04
> seconds
> Jan 17 16:35:55 localhost snmpd: [ 2008/01/17 16:35:54 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 28.06
> seconds
> Jan 17 16:35:55 localhost snmpd: [ 2008/01/17 16:35:54 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 27.08
> seconds
> Jan 17 16:35:55 localhost snmpd: [ 2008/01/17 16:35:54 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 26.10
> seconds
> Jan 17 16:35:55 localhost snmpd: [ 2008/01/17 16:35:55 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 25.12
> seconds
> Jan 17 16:35:55 localhost snmpd: [ 2008/01/17 16:35:55 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 24.14
> seconds
> Jan 17 16:35:55 localhost snmpd: [ 2008/01/17 16:35:55 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 23.16
> seconds
> Jan 17 16:35:56 localhost snmpd: [ 2008/01/17 16:35:55 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 22.18
> seconds
> Jan 17 16:35:56 localhost snmpd: [ 2008/01/17 16:35:55 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 22.01
> seconds
> Jan 17 16:35:56 localhost snmpd: [ 2008/01/17 16:35:55 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 21.03
> seconds
> Jan 17 16:35:56 localhost snmpd: [ 2008/01/17 16:35:55 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 20.05
> seconds
> Jan 17 16:35:56 localhost snmpd: [ 2008/01/17 16:35:55 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 19.07
> seconds
> Jan 17 16:35:56 localhost snmpd: [ 2008/01/17 16:35:55 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 18.09
> seconds
> Jan 17 16:35:56 localhost snmpd: [ 2008/01/17 16:35:56 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 17.11
> seconds
> Jan 17 16:35:56 localhost snmpd: [ 2008/01/17 16:35:56 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 16.13
> seconds
> Jan 17 16:35:56 localhost snmpd: [ 2008/01/17 16:35:56 WARNING snmpd
> LIBXORP ] Timer Expiry *much* later than scheduled: behind by 15.15
> seconds
>
> 
> =
>
> Does this make sense to anyone? I am going to try the verbose logging
> per Justin's suggestion.
>
> Shane McKinley
> Habersham EMC
>
> -Original Message-
> From: Justin Fletcher [mailto:[EMAIL PROTECTED]
>
> Sent: Thursday, January 17, 2008 4:35 PM
> To: Shane McKinley
> Cc: vyatta-users@mailman.vyatta.com
> Subj

Re: [Vyatta-users] Waiting for xorp_rtrmgr...

[Justin Fletcher]

You can enable verbose debugging by changing

VERBOSERTRMGR=

on line 51 of /opt/vyatta/sbin/rtrmgr.init

to

VERBOSERTRMGR=-v

As a caution, this will generate a LOT of output in your log files!!

Justin

On Jan 17, 2008 1:31 PM, Shane McKinley <[EMAIL PROTECTED]> wrote:
> I did. I am trying to comment out my static routes to see if that will
> help.
>
> Any other suggestions?
>
>
> Shane McKinley
> Habersham EMC
>
> -Original Message-
>
> From: Michael Larson [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 17, 2008 4:27 PM
> To: Shane McKinley
> Cc: vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Waiting for xorp_rtrmgr...
>
> Hi Shane,
>
> Did you restart the syslog daemon after you modified the syslog.conf
> file?
>
> /etc/init.d/sysklogd restart
>
> Mike
>
> - Original Message -
> From: "Shane McKinley" <[EMAIL PROTECTED]>
> To: vyatta-users@mailman.vyatta.com
> Sent: Thursday, January 17, 2008 1:23:06 PM (GMT-0800)
> America/Los_Angeles
> Subject: Re: [Vyatta-users] Waiting for xorp_rtrmgr...
>
> I have changed /etc/syslog.conf to *.* and restarted the vyatta-ofr. I
> don't see anything that just pops out at me in /var/log/messages since
> the restart. I did truncate the file before attempting to restart the
> vyatta-ofr service.
>
> Any way to pinpoint which line in my config is causing the issue?
>
> (SIDE NOTE: (No offense meant) Why should changing interface notations
> and static routes cause anything to crash?)
>
> Shane McKinley
> Habersham EMC
>
> -Original Message-
> From: Justin Fletcher [mailto:[EMAIL PROTECTED]
> Sent: Thursday, January 17, 2008 3:58 PM
> To: Marat Nepomnyashy
> Cc: Shane McKinley; vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Waiting for xorp_rtrmgr...
>
> You'll also want to edit /etc/syslog.conf and change *.warning to *.* to
> record all log messages; otherwise, lower-level messages will be
> discared
>
> You can check startup by hand by running "/etc/init.d/vyatta-rtrmgr
> start" which will save you the physical reboot --
>
> Justin
>
> On Jan 17, 2008 12:54 PM, Marat Nepomnyashy <[EMAIL PROTECTED]> wrote:
> > Hi Shane,
> >
> > Most likely the rtrmgr did not start.  The best log file to check when
>
> > that happens is '/var/log/messages'.
> >
> > Which Vyatta version are you using?
> >
> > Thanks,
> > Marat
> >
> >
> > - Original Message -
> > From: "Shane McKinley" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Thursday, January 17, 2008 12:51 PM
> > Subject: [Vyatta-users] Waiting for xorp_rtrmgr...
> >
> >
> > > After entering some static routes and changing some subnetting
> > > around I rebooted. Now the rtrmgr won't start -- the commit took
> > > fine before I rebooted.
> > >
> > > Is there a way I can pull the proper error messages to troubleshoot
> > > this problem? What log files would be best to look at?
> > >
> > > Any more ideas on why this would happen? I really am dedicated to
> > > getting this router into production, but the odds seem against me
> > > this round.
> > >
> > > Thanks,
> > >
> > > Shane McKinley
> > > Habersham EMC
> > > Tel: 706-839-4130
> > > Cel: 706-968-3186
> > > ___
> > > Vyatta-users mailing list
> > > Vyatta-users@mailman.vyatta.com
> > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > >
> >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Waiting for xorp_rtrmgr...

[Justin Fletcher]

You'll also want to edit /etc/syslog.conf and change *.warning to *.*
to record all
log messages; otherwise, lower-level messages will be discared

You can check startup by hand by running "/etc/init.d/vyatta-rtrmgr
start" which will
save you the physical reboot --

Justin

On Jan 17, 2008 12:54 PM, Marat Nepomnyashy <[EMAIL PROTECTED]> wrote:
> Hi Shane,
>
> Most likely the rtrmgr did not start.  The best log file to check when that
> happens is '/var/log/messages'.
>
> Which Vyatta version are you using?
>
> Thanks,
> Marat
>
>
> - Original Message -
> From: "Shane McKinley" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, January 17, 2008 12:51 PM
> Subject: [Vyatta-users] Waiting for xorp_rtrmgr...
>
>
> > After entering some static routes and changing some subnetting around I
> > rebooted. Now the rtrmgr won't start -- the commit took fine before I
> > rebooted.
> >
> > Is there a way I can pull the proper error messages to troubleshoot this
> > problem? What log files would be best to look at?
> >
> > Any more ideas on why this would happen? I really am dedicated to
> > getting this router into production, but the odds seem against me this
> > round.
> >
> > Thanks,
> >
> > Shane McKinley
> > Habersham EMC
> > Tel: 706-839-4130
> > Cel: 706-968-3186
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] RFC 1918 Private IP addresses

[Justin Fletcher]

You'll want to create a firewall rule.  By default, a router just
forwards the traffic
it's sent (assuming it can find a route to use for forwarding . . .)

Best,
Justin

On Jan 17, 2008 11:39 AM, Ben Speckien <[EMAIL PROTECTED]> wrote:
> I am using Vyatta as a gateway to the internet and have noticed that it
> passes un-NATed private addresses out the public interface.  Is there a
> way to turn this feature off or should I make a firewall rule?
>
> Thanks,
>
> Ben
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Q:uptime from the cli

[Justin Fletcher]

For that matter, was a bug; see
https://bugzilla.vyatta.com/show_bug.cgi?id=2158 .  We keep what we
know in the bug database, and we'd always like to know what you
discover!

Justin

On Jan 16, 2008 11:26 AM, Allan Leinwand <[EMAIL PROTECTED]> wrote:
>
>
> Seems like a bug.  The VC3 command reference shows uptime being displayed in
> "show version" on page 67.
>
> Thanks,
>
> allan
>
>  
>  From: Aubrey Wells [mailto:[EMAIL PROTECTED]
>
> Sent: Wednesday, January 16, 2008 10:00 AM
> To: Allan Leinwand; Allan Leinwand
> Cc: 'Ken Felix (C)'; vyatta-users@mailman.vyatta.com; 'Ken Felix (C)';
> vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Q:uptime from the cli
>
>
>
> show version doesnt seem to work in 3 for me either.
>
>
>
> [EMAIL PROTECTED]> show version
> Baseline Version: vc3
> Booted From: disk
>
>
> [EMAIL PROTECTED]>
>
>
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
>
>
>
>
>
>
>
>
> On Jan 16, 2008, at 12:46 PM, Allan Leinwand wrote:
>
>
>
> Hi Ken,
>
>I'm running 2.0 and "show version" works for me.  Maybe the output
> changed in a later release?
>
> [EMAIL PROTECTED]> show version
> Version:   2.0
> Built by:  [EMAIL PROTECTED]
> Built on:  200702232259 -- Fri Feb 23 22:59:37 UTC 2007
> Source:git://suva.vyatta.com/ofr.git#--06439041
> System booted: Thu Jul 26 01:23:41 PDT 2007
> Uptime: 00:46:34 up 174 days, 23 min,  1 user,  load average: 0.50, 0.20,
> 0.07
> [EMAIL PROTECTED]>
>
>
> Thanks,
>
> allan
>
>
>  
>  From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ken Felix (C)
> Sent: Wednesday, January 16, 2008 9:37 AM
> To: vyatta-users@mailman.vyatta.com
> Subject: [Vyatta-users] Q:uptime from the cli
>
>
>
>
> In our setup, we typically will not have a user logining into a unix shell,
> so how can we get  "router uptime"
>  Via the cli ?
>
> Show version  doesn't do it,  nor does a  show tech from what I can tell.
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Disable forwarding of broadcast directed packets

[Justin Fletcher]

It's disabled, and the current best practices have had it set this way for
quite a while.

See ftp://ftp.rfc-editor.org/in-notes/rfc2644.txt if you really want the
details :-)

Best,
Justin

On Jan 10, 2008 1:27 PM, Shane McKinley <[EMAIL PROTECTED]> wrote:

> Is broadcast forwarding disabled by default on Vyatta? If not, is there
> a way I can disable forwarding of broadcast packets on my Vyatta v3
> router?
>
> Thanks,
>
> Shane McKinley
> Habersham EMC
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Basic Rip help and nat translation question

[Justin Fletcher]

For RIP, all you need is something similar to:

set protocols rip interface eth0 address 172.16.0.50

Justin

On Jan 10, 2008 1:14 PM, <[EMAIL PROTECTED]> wrote:

> All,
>
> I'm coming from a cisco background and although I've used vyatta at one
> production location (using some static routes successfully) I'm having a
> heck of a time just getting two routers to talk to each other with RIP. I've
> read through the big config guide pdf, but to no avail.
>
> Could anyone either paste in their RIP configuration or at least give me
> some pointers on how to get this to work?
>
> In my test enviornment I have two routers.
>
> Router A (eth0) 192.168.50.1 /24  <-- cross over-- > Router B (eth0)
> 192.168.50.2 /24
> Router A (eth1) 192.168.51.1  /24   Router B
> (eth1) 192.168.52.1  /24
>
> I can ping across all the networks if I set up static routes-- so I know
> the connections and IPs are okay.
>
> In addition, on a standard cisco router I can run this: > show ip nat
> trans . How do I see all the differnent translations on a vyatta box going
> out to the world?
>
> Thanks in advance,
> Aaron
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Network ports Compatibility issue for Vyatta? to install in production box for router use

[Justin Fletcher]

No, no known issues the the cards, and six ports should be fine.  I've got
that
many ports in production :-)

Justin

On Jan 10, 2008 2:22 AM, Daren Tay <[EMAIL PROTECTED]> wrote:

> Hi guys,
>
> just wanna check if there's any known issues for the following network
> cards
> with Vyatta:
>
> Intel PRO/1000 PT dual-port gigabit ethernet PCIe x4 card.
>
> I am planning to install 2 of that in the server (Dell PowerEdge) to get a
> 6
> port setup.
>
> Also, is it ok I install so many?
> I am planning to use Vyatta as a production router for our new
> infrastructure... all the way man.
> Planning to get a simple Dell PowerEdge and pump it with adequate network
> ports to handle 2 different subnets and firewall.
>
> What do you guys think?
> Thanks!
> Daren
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Fwd: A question on exporting connected routes intoOSPF

[Justin Fletcher]

And, of course, routes you add outside of the CLI aren't known to XORP.  If
you add the route using "protocol static" you can then redistribute via
OSPF.

Justin

On Jan 8, 2008 11:57 AM, Jonathon Exley <[EMAIL PROTECTED]> wrote:

> I have also had problems exporting connected routes into OSPF.
>
> Try adding static routes into the export policy:
>
> [EMAIL PROTECTED]  > show configuration policy
> policy-statement ExportCon
>term 10 {
>from {
>protocol: "connected"
>}
>then {
>action: "accept"
>}
>}
>term 20 {
>from {
>protocol: "static"
>}
>then {
>action: "accept"
>}
>}
>
> This seemed to allow the connected interfaces into the OSPF database,
> although they were tagged with ASExt-2:
>
> [EMAIL PROTECTED]> show ospf4 database
>   OSPF link state database, Area 0.0.0.0
>  Type   ID   Adv Rtr   Seq  Age  Opt  Cksum
> Len
> ASExt-2 *192.168.2.0  192.168.101.10x8001   790  0x2  0x4354
> 36
>
>
>
> Jonathon
>
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Refactoring Vyatta Config

[Justin Fletcher]

If you disable VRRP, do you see the same issues?  Not all interfaces handle
the virtual MAC addresses successfully.

Justin

On Jan 5, 2008 6:39 PM, Todd Worden <[EMAIL PROTECTED]> wrote:
>
>
>
>
> Dear Group:
>
>
>
> Apologies up front, but the following info is bit loaded…
>
>
>
> I currently have a 1U dual mini-itx boards redundant router that has 512MB
> ram and 1Ghz VIA embedded processors.  Each ½ of the chassis also has a
> compact flash slot, but no CD-ROMs.  Vyatta 3.0 OFR is installed on both,
> and I currently have VRRP configured and working with the given setup, and
> Bind9 acting as a Master on one and slave on the other.
>
>
>
> Though things seem to work more/less, I am noticing inbound traffic (wan) is
> seriously sketchy.  I observe this over port http and ssh ports, both of
> which are very slow, and 50% of this time result in connection time outs.
> When I hit a hosted web page, the first attempt always results in a "The
> connection was reset" message with Firefox.  Subsequent hits to the same
> site may or may not load the requested page.  When I Putty in, I also
> experience slowness, and drop outs.
>
>
>
> I am guessing I have a mis-configuration somewhere.
>
>
>
> Before I begin troubleshooting, I am writing to request advice on a better
> way to manage my routers.  I cannot for the life of me figure out how to
> install Vyatta from a compact flash card.  So, instead, whenever I have
> needed to 'start over' I have pulled out the hard drives, slapped them in my
> other server, and installed Vyatta from CD-ROM, then slapped them back into
> the routers.  This is a PIA!
>
>
>
> I am wondering from anyone out there, if given the above specs, if it would
> be wise to install some stripped down linux distro as a host on each router,
> then run Vyatta in a virtual machine using something like VmWare Server.   I
> am worried that with 512MB ram, and 1Ghz, performance might suffer.
>
>
>
> Bottom line, if I jack up my router FUBAR style, I would like to get a new
> install in place very quickly, and maybe a VM gold build might be a good
> plan.
>
>
>
> Any considerations regarding this strategy or maybe others are very welcome!
>
>
>
> Thanks!
>
>
>
> Todd Worden
>
> Web-Wired, LLC
>
> 434.906.0420
>
> [EMAIL PROTECTED]
>
> www.web-wired.com
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Commit Error

[Justin Fletcher]

Yes, sometimes any computerized system gets a bit confused, and needs
a good kick in the pants :-)

Justin

On Jan 4, 2008 9:04 PM, Clint Chapman <[EMAIL PROTECTED]> wrote:
> well, I hate doing that, but I rebooted, and did all the config, and
> it worked.
>
>
> oh well.
>
>
>
> On Jan 4, 2008, at 10:32 PM, Justin Fletcher wrote:
>
> > When all else fails, reboot the router when you can & try again.
> >
> > Best,
> > Justin
> >
> > On Jan 4, 2008 7:51 PM, Clint Chapman <[EMAIL PROTECTED]> wrote:
> >> [EMAIL PROTECTED]> configure
> >> Entering configuration mode.
> >> User vyatta is also in configuration mode.
> >> [EMAIL PROTECTED] set protocols bgp
> >> [edit]
> >> [EMAIL PROTECTED] set protocols bgp bgp-id 216.6.235.1
> >> [edit]
> >> [EMAIL PROTECTED] set protocols bgp local-as 15003
> >> [edit]
> >> [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237
> >> [edit]
> >> [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 local-ip
> >> 72.37.132.238
> >> [edit]
> >> [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 as 25973
> >> [edit]
> >> [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 next-hop
> >> 72.37.132.238
> >> [edit]
> >> [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 disable-
> >> readvertisements true
> >> [edit]
> >> [EMAIL PROTECTED] commit
> >> [edit]
> >> Commit Failed
> >> 102 Command failed
> >> [EMAIL PROTECTED]
> >>
> >> Jan  5 11:59:45 localhost xorp_bgp: [ 2008/01/05 11:59:45  WARNING
> >> xorp_bgp:6490 BGP +1054 /home/autobuild/builds/OFR/2007-11-17-0001/
> >> ofr/
> >> xorp/xorp/bgp/bgp.cc create_peer ] This peer already exists:
> >> {72.37.132.238(179) 72.37.132.237(179)} AS/25973
> >> Jan  5 11:59:45 localhost xorp_bgp: [ 2008/01/05 11:59:45  WARNING
> >> xorp_bgp:6490 XrlBgpTarget +552 xrl/targets/bgp_base.cc
> >> handle_bgp_0_2_add_peer ] Handling method for bgp/0.2/add_peer
> >> failed:
> >> XrlCmdError 102 Command failed
> >> Jan  5 11:59:45 localhost xorp_rtrmgr: [ 2008/01/05 11:59:45  ERROR
> >> xorp_rtrmgr:4658 RTRMGR +701 /home/autobuild/builds/OFR/
> >> 2007-11-17-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc
> >> commit_pass2_done ] Commit failed: 102 Command failed
> >>
> >> Not sure how it's already there.
> >>
> >>
> >>
> >>
> >> On Jan 4, 2008, at 9:33 PM, John Jolet wrote:
> >>
> >>
> >>> how about the line that says "this peer already exists"delete
> >>> the peer then re-add it.
> >>>
> >>> Clint Chapman wrote:
> >>>> Jan  5 10:18:38 localhost xorp_bgp: [ 2008/01/05 10:18:38  WARNING
> >>>> xorp_bgp:6490 BGP +1054 /home/autobuild/builds/OFR/2007-11-17-0001/
> >>>> ofr/ xorp/xorp/bgp/bgp.cc create_peer ] This peer already exists:
> >>>> {72.37.132.238(179) 72.37.132.237(179)} AS/25973
> >>>> Jan  5 10:18:38 localhost xorp_bgp: [ 2008/01/05 10:18:38  WARNING
> >>>> xorp_bgp:6490 XrlBgpTarget +552 xrl/targets/bgp_base.cc
> >>>> handle_bgp_0_2_add_peer ] Handling method for bgp/0.2/add_peer
> >>>> failed:  XrlCmdError 102 Command failed
> >>>> Jan  5 10:18:38 localhost xorp_rtrmgr: [ 2008/01/05 10:18:38
> >>>> ERROR  xorp_rtrmgr:4658 RTRMGR +701 /home/autobuild/builds/OFR/
> >>>> 2007-11-17-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc
> >>>> commit_pass2_done ] Commit failed: 102 Command failed
> >>>> Jan  5 10:25:58 localhost xorp_bgp: [ 2008/01/05 10:25:58  WARNING
> >>>> xorp_bgp:6490 BGP +1054 /home/autobuild/builds/OFR/2007-11-17-0001/
> >>>> ofr/ xorp/xorp/bgp/bgp.cc create_peer ] This peer already exists:
> >>>> {72.37.132.238(179) 72.37.132.237(179)} AS/25973
> >>>> Jan  5 10:25:58 localhost xorp_bgp: [ 2008/01/05 10:25:58  WARNING
> >>>> xorp_bgp:6490 XrlBgpTarget +552 xrl/targets/bgp_base.cc
> >>>> handle_bgp_0_2_add_peer ] Handling method for bgp/0.2/add_peer
> >>>> failed:  XrlCmdError 102 Command failed
> >>>> Jan  5 10:25:58 localhost xorp_rtrmgr: [ 2008/01/05 10:25:58
> >>>> ERROR  xorp_rtrmgr:4658 RTRMGR +701 /home/autobuild/builds/OFR/
> >>>> 2007-11-17-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc
> >>>> commit_pass2_done ] Commit failed: 102 Command failed
> >>

Re: [Vyatta-users] Commit Error

[Justin Fletcher]

When all else fails, reboot the router when you can & try again.

Best,
Justin

On Jan 4, 2008 7:51 PM, Clint Chapman <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED]> configure
> Entering configuration mode.
> User vyatta is also in configuration mode.
> [EMAIL PROTECTED] set protocols bgp
> [edit]
> [EMAIL PROTECTED] set protocols bgp bgp-id 216.6.235.1
> [edit]
> [EMAIL PROTECTED] set protocols bgp local-as 15003
> [edit]
> [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237
> [edit]
> [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 local-ip
> 72.37.132.238
> [edit]
> [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 as 25973
> [edit]
> [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 next-hop
> 72.37.132.238
> [edit]
> [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 disable-
> readvertisements true
> [edit]
> [EMAIL PROTECTED] commit
> [edit]
> Commit Failed
> 102 Command failed
> [EMAIL PROTECTED]
>
> Jan  5 11:59:45 localhost xorp_bgp: [ 2008/01/05 11:59:45  WARNING
> xorp_bgp:6490 BGP +1054 /home/autobuild/builds/OFR/2007-11-17-0001/ofr/
> xorp/xorp/bgp/bgp.cc create_peer ] This peer already exists:
> {72.37.132.238(179) 72.37.132.237(179)} AS/25973
> Jan  5 11:59:45 localhost xorp_bgp: [ 2008/01/05 11:59:45  WARNING
> xorp_bgp:6490 XrlBgpTarget +552 xrl/targets/bgp_base.cc
> handle_bgp_0_2_add_peer ] Handling method for bgp/0.2/add_peer failed:
> XrlCmdError 102 Command failed
> Jan  5 11:59:45 localhost xorp_rtrmgr: [ 2008/01/05 11:59:45  ERROR
> xorp_rtrmgr:4658 RTRMGR +701 /home/autobuild/builds/OFR/
> 2007-11-17-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc
> commit_pass2_done ] Commit failed: 102 Command failed
>
> Not sure how it's already there.
>
>
>
>
> On Jan 4, 2008, at 9:33 PM, John Jolet wrote:
>
>
> > how about the line that says "this peer already exists"delete
> > the peer then re-add it.
> >
> > Clint Chapman wrote:
> >> Jan  5 10:18:38 localhost xorp_bgp: [ 2008/01/05 10:18:38  WARNING
> >> xorp_bgp:6490 BGP +1054 /home/autobuild/builds/OFR/2007-11-17-0001/
> >> ofr/ xorp/xorp/bgp/bgp.cc create_peer ] This peer already exists:
> >> {72.37.132.238(179) 72.37.132.237(179)} AS/25973
> >> Jan  5 10:18:38 localhost xorp_bgp: [ 2008/01/05 10:18:38  WARNING
> >> xorp_bgp:6490 XrlBgpTarget +552 xrl/targets/bgp_base.cc
> >> handle_bgp_0_2_add_peer ] Handling method for bgp/0.2/add_peer
> >> failed:  XrlCmdError 102 Command failed
> >> Jan  5 10:18:38 localhost xorp_rtrmgr: [ 2008/01/05 10:18:38
> >> ERROR  xorp_rtrmgr:4658 RTRMGR +701 /home/autobuild/builds/OFR/
> >> 2007-11-17-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc
> >> commit_pass2_done ] Commit failed: 102 Command failed
> >> Jan  5 10:25:58 localhost xorp_bgp: [ 2008/01/05 10:25:58  WARNING
> >> xorp_bgp:6490 BGP +1054 /home/autobuild/builds/OFR/2007-11-17-0001/
> >> ofr/ xorp/xorp/bgp/bgp.cc create_peer ] This peer already exists:
> >> {72.37.132.238(179) 72.37.132.237(179)} AS/25973
> >> Jan  5 10:25:58 localhost xorp_bgp: [ 2008/01/05 10:25:58  WARNING
> >> xorp_bgp:6490 XrlBgpTarget +552 xrl/targets/bgp_base.cc
> >> handle_bgp_0_2_add_peer ] Handling method for bgp/0.2/add_peer
> >> failed:  XrlCmdError 102 Command failed
> >> Jan  5 10:25:58 localhost xorp_rtrmgr: [ 2008/01/05 10:25:58
> >> ERROR  xorp_rtrmgr:4658 RTRMGR +701 /home/autobuild/builds/OFR/
> >> 2007-11-17-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc
> >> commit_pass2_done ] Commit failed: 102 Command failed
> >>
> >>
> >> See anything there?
> >>
> >>
> >> On Jan 4, 2008, at 8:47 PM, Stig Thormodsrud wrote:
> >>
> >>
> >>> Check /var/log/messages (or "show log") for further error messages.
> >>>
> >>> stig
> >>>
> >>>
>  -Original Message-
>  From: [EMAIL PROTECTED] [mailto:vyatta-users-
>  [EMAIL PROTECTED] On Behalf Of Clint Chapman
>  Sent: Friday, January 04, 2008 6:38 PM
>  To: [EMAIL PROTECTED]
>  Subject: [Vyatta-users] Commit Error
> 
>  [EMAIL PROTECTED] show protocols
> 
> > bgp {
> > bgp-id: removeIP
> > local-as: my as number
> > peer "72.*.*.*" { (ISP side of the /30)
> > local-ip: 72.37.132.238  (My side of the /30)
> > as: 25973
> > next-hop: 72.37.132.238 (My side of the /30)
> > disable-readvertisements: true
> > }
> > }
> >
> static {
> route 0.0.0.0/0 {
> next-hop: 72.*.*.*
> }
> }
> 
>  [edit]
>  [EMAIL PROTECTED] commit
>  [edit]
>  Commit Failed
>  102 Command failed
>  [EMAIL PROTECTED]
> 
> 
>  Why am I getting that error, I don't think I have anything to
>  complex
>  in there.
> 
> 
> 
> 
>  Thanks!
>  CLint
>  ___
>  Vyatta-users mailing list
>  Vyatta-users@mailman.vyatta.com
>  http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> 
> >>
> >> __

Re: [Vyatta-users] jdocs anything like this for vyatta

[Justin Fletcher]

Ah - missed the 'j' in the subject . . .

On Jan 2, 2008 3:28 PM, Wink <[EMAIL PROTECTED]> wrote:
> JDocs are man-pages for commands.  There are also general technical
> tutorials available.
>
> Its like having a book about JunOS available on the router.
>
>
>
> Justin Fletcher wrote:
> > Not sure what "like this" means, but there's full documentation
> > available at vyatta.com, and on-line CLI help; just use the '?' key.
> >
> > Best,
> > Justin
> >
> > On Jan 2, 2008 2:55 PM, Ken Felix (C) <[EMAIL PROTECTED]> wrote:
> >
> >>
> >>
> >> Do we have any future  support  for something similar  in vyatta? Cli 
> >> online
> >> help.
> >>
> >>
> >> ___
> >> Vyatta-users mailing list
> >> Vyatta-users@mailman.vyatta.com
> >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>
> >>
> >>
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> >
> >
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] jdocs anything like this for vyatta

[Justin Fletcher]

Not sure what "like this" means, but there's full documentation
available at vyatta.com, and on-line CLI help; just use the '?' key.

Best,
Justin

On Jan 2, 2008 2:55 PM, Ken Felix (C) <[EMAIL PROTECTED]> wrote:
>
>
>
>
> Do we have any future  support  for something similar  in vyatta? Cli online
> help.
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] router on the stick

[Justin Fletcher]

On Jan 2, 2008 12:18 AM, Vects <[EMAIL PROTECTED]> wrote:
> Hello there,
>
> Does vyatta support "router on the stick" configuration?
> I want to deploy it in web hosting environment when every customer has
> the own vlan.
> Is there any known problem with firewall in such a configuration?
>
> Thanks, Alexc

No issues that I know of; should be just fine for what you need :-)

Best,
Justin
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] happy with NAT. should I firewall also?

[Justin Fletcher]

Depends on what you're looking for (of course :-) )

Since you're under NAT, nothing can find your system that you don't
have set up for forwarding.  You could set up firewall rules for the public
address of your router, as it's wide-open otherwise, of course.

A happy 2008 to you,
Justin

On Jan 1, 2008 6:40 PM, Alain Kelder <[EMAIL PROTECTED]> wrote:
> Hello,
>
> At my home office, I have 1 public IP and I'm forwarding certain outside
> port requests to the various machines inside using NAT. I'm allowing all
> inside->out traffic. Given that I'm happy with this setup from the
> functionality perspective, should I still add firewall rules to define
> my current setup (e.g. to allow all inside->out traffic and to allow
> http, smtp, etc to the various machines for outside->in traffic)? Am I
> missing out on important security features the firewall would offer
> which NAT doesn't?
>
> Currently I just have the following firewall statements:
>
> firewall {
> log-martians: "enable"
> send-redirects: "disable"
> receive-redirects: "disable"
> ip-src-route: "disable"
> broadcast-ping: "disable"
> syn-cookies: "enable"
> }
>
> [EMAIL PROTECTED]> show version
> Baseline Version: vc3
> Booted From: disk
>
> Happy New Year to all! Cheers, -Alain.
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] clustering problems

[Justin Fletcher]

Afraid so - a fix didn't make it into VC3.  From a while back:

Ah, piffle - looks like that bug was fixed after VC3 was released.  You need
to correct /opt/vyatta/sbin/vpn-config.pl .You can get the corrected
version from
http://suva.vyatta.com/git/?p=ofr.git;a=blob_plain;f=cli/scripts/vpn/vpn-config.pl;hb=HEAD
or you can just comment out the check, if you're
comfortable with perl.

Justin

On Dec 31, 2007 12:56 PM, Ken Felix (C) <[EMAIL PROTECTED]> wrote:
>
>
>
>
> Have anybody attempted clustering with vyatta and seen any problems with
> vpn-ipsec not allowing the   cluster ip_addres to be applied?
>
>
>
>
>
>
>
>
>
> [EMAIL PROTECTED] set vpn ipsec site-to-site peer 1.1.1.40 local-ip 1.1.1.36
>
> [edit]
>
>
>
> [EMAIL PROTECTED] commit
>
> [edit]
>
> Commit Failed
>
> VPN configuration error.  Local IP specified for peer "1.1.1.40" has not
> been configured in any of the ipsec interfaces or clustering.
>
> VPN configuration commit aborted due to error(s).
>
> [EMAIL PROTECTED] show cluster
>
> interface eth0
>
> interface eth1
>
> pre-shared-secret: "firstcluster"
>
> keepalive-interval: 3
>
> dead-interval: 10
>
> group vpn {
>
> primary: "fw001"
>
> secondary "fw002"
>
> monitor 2.2.2.140
>
> service "1.1.1.36"
>
> service "192.168.254.254"
>
> service ipsec
>
> }
>
>
>
> [edit]
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] I want to configure 2 ISPs on Vyatta Server

[Justin Fletcher]

Do you have any specific questions after reviewing the documentation
at www.vyatta.com ?

Best,
Justin

On Dec 23, 2007 10:10 PM, Amit Srivastava <[EMAIL PROTECTED]> wrote:
> Hi,
>
>
>  I want to configure 2 ISPs on my Vyatta server, How can i configure it ?
>  Someone can help me?
>
>
> --
>  Regards
> --
> Amit Shrivastava
> Linux Engineer
> Tetra Information Services Pvt. Ltd.
> 136 Ground Floor, Sant Nagar, East of Kailash,
> New Delhi - 110065, India.
> Email : [EMAIL PROTECTED]
> Website : www.tetrain.com, www.linux4e.com
> Phone : 91-11-66604033, 91-11-66604034, 91-11-66604035
> Mobile : 91-060913
> Fax : 91-11-26225293
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] setting up at home

[Justin Fletcher]

If you haven't, you'll need to:

Set up the internal address of the Vyatta router as the default
gateway provided by DHCP
Set up NAT so the private internal addresses are translated to your
static IP from your provider

Best,
Justin

On Dec 22, 2007 4:09 AM, Abhishek Jain <[EMAIL PROTECTED]> wrote:
> Hi All
>
> I am trying to install the community edition at home. I have a static ip
> from my dsl provider. On one of the interfaces I have configured and
> internal ip address and have setup the dhcp server which is working fine and
> my other machines are able to get the ip from dhcp. On another interface I
> have configured the static ip from my provider. I am able to ping
> www.google.com from the vyatta web gui but not from one of the machines in
> the internal network. Please any help!!!
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Question about OSPF syslog events

[Justin Fletcher]

Try lowering your syslog level to debug; the messages from OSPF are
likely filtered.

Best,
Justin Fletcher

On Dec 21, 2007 6:56 AM, Adair, Nick <[EMAIL PROTECTED]> wrote:
> Hi All,
> This is my configuration for syslog logging, right now we have
> everything turned on and going to our syslog host.  The problem is we
> are not seeing OSPF notifications, I'm not sure what we are missing.  We
> looked in the manuals (what a concept) and found the section "Sending
> OSPF messages to Syslog" and did what it indicated but it does not seem
> to send OSPF info, we do see syslog messages when logrotated runs, ssh
> logins, etc.  We want to know when a neighbor changes.  Any help would
> be greatly appreciated.
>
> 1 protocols {
> 2 ospf4 {
> 3 router-id: 192.168.4.2
> 4 rfc1583-compatibility: false
> 5 ip-router-alert: false
> 6 traceoptions {
> 7 flag {
> 8 all {
> 9 disable: false
> 10 }
> 11 }
> 12 }
> 13 area 0.0.0.0 {
> 14 area-type: "normal"
> 15 interface eth0 {
> 16 link-type: "broadcast"
> 17 address 192.168.3.4 {
> 18 priority: 128
> 19 hello-interval: 10
> 20 router-dead-interval: 40
> 21 interface-cost: 1
> 22 retransmit-interval: 5
> 23 transit-delay: 1
> 24 passive: false
> 25 disable: false
> 26 }
> 27 }
> 28 interface eth1 {
> 29 link-type: "broadcast"
> 30 address 192.168.4.253 {
> 31 priority: 128
> 32 hello-interval: 10
> 33 router-dead-interval: 40
> 34 interface-cost: 1
> 35 retransmit-interval: 5
> 36 transit-delay: 1
> 37 passive: false
> 38 disable: false
> 39 }
> 40 }
> 41 }
> 42 }
> 43 snmp {
> 44 community pilot {
> 45 client 192.168.100.104
> 46 client 192.168.100.105
> 47 authorization: "rw"
> 48 }
> 49 contact: ""
> 50 description: ""
> 51 location: ""
> 52 }
> 53 }
> 54 policy {
> 55 }
> 56 interfaces {
> 57 restore: false
> 58 loopback lo {
> 59 description: ""
> 60 address 192.168.4.2 {
> 61 prefix-length: 32
> 62 disable: false
> 63 }
> 64 }
> 65 ethernet eth0 {
> 66 disable: false
> 67 discard: false
> 68 description: "Uplink to RTR Cloud"
> 69 hw-id: 00:50:56:85:72:6f
> 70 duplex: "auto"
> 71 speed: "auto"
> 72 address 192.168.3.4 {
> 73 prefix-length: 24
> 74 disable: false
> 75 }
> 76 }
> 77 ethernet eth1 {
> 78 disable: false
> 79 discard: false
> 80 description: "Connectivity to Access Switch"
> 81 hw-id: 00:50:56:85:1e:3c
> 82 duplex: "auto"
> 83 speed: "auto"
> 84 address 192.168.4.253 {
> 85 prefix-length: 24
> 86 disable: false
> 87 }
> 88 }
> 89 }
> ... 
> 122 system {
> 123 host-name: "vy-rtr-access"
> 124 domain-name: "pilot-bmc.com"
> 125 domain-search {
> 126 domain "calbro.ase"
> 127 }
> 128 name-server 192.168.100.100
> 129 time-zone: "GMT"
> 130 ntp-server "69.59.150.135"
> 131 static-host-mapping {
> 132 host-name "vy-rtr-access" {
> 133 inet: 192.168.4.2
> 134 }
> 135 }
> ... 
> 150 syslog {
> 151 host "192.168.3.110" {
> 152 facility "*" {
> 153 level: "info"
> 154 }
> 155 }
> 156 }
> ...
> 164 }
>
>
> Nick
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] VPN under NAT

[Justin Fletcher]

If they are both in private address space, the issue is whether the two know
how to communicate with each other, as private address space isn't routeable --

Best,
Justin

On Dec 18, 2007 5:36 PM, Marco De Sortis <[EMAIL PROTECTED]> wrote:
>
>
> How to configure a VPN IPsec between 2 vyatta router both under NAT?
> A test a lot but seem to function only when al least one vyatta in over
> Internet (not under NAT)... no luck whith both under NAT.
>
> This function:
>
> vyattaVPN1 internet <-NAT <- vyattaVNP2
>
> This NOT function:
>
> vyattaVPN1 -> NAT internet <-NAT <- vyattaVNP2
>
> Someone can help me please?
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] VRRP Release Timeframe?

[Justin Fletcher]

Yes, it's based on heartbeat, and it should allow you to specify any init.d
process as a service.  However, not all are fully integrated with the
router manager,
so you may run into issues.

Best,
Justin

On Dec 18, 2007 2:01 PM, Ken Price <[EMAIL PROTECTED]> wrote:
> Sanjoy,
>
> Thank you for your response.  It looks like the Clustering feature may
> just be the ticket.  I'll do some testing and give it a shot.  Is
> clustering based on Heartbeat?  Can I specify any /etc/init.d
> processes as a "service"?  That would allow me to potentially
> integrate QoS scripts, or IDS components (Snort/OSSEC) as well.
>
> -Ken
>
>
> > You may also want to take a look at the Clustering feature on VC3, though it
> > currently supports one backup node. I'll defer to expert users who may
> > comment on potential conflicts on getting keepalived working outside the
> > scope of the Vyatta CLI. Share with us any tips or tricks if you have
> > success doing so.
>
>
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Explanation of RIP and BGP

[Justin Fletcher]

It's all basically correct - RIP is an interior gateway protocol,
designed to exchange
information inside a smaller network.  BGP is an exterior gateway
protocol, designed
to exchange information between networks.  BGP is what's used world-wide to keep
the internet running, so it's likely overkill for your network :-)

Your two practical choices are RIP and OSPF.  For a small network, RIP
would be fine,
and it'll keep track of what changes automagically :-)

OSPF will also do the trick, but some (like me) tend to find it overly
complex for a
smaller environment.  I expect others will have opinions here :-)

Best,
Justin Fletcher

On Dec 18, 2007 11:41 AM, Todd Worden <[EMAIL PROTECTED]> wrote:
>
>
>
>
> Hello Vyattans…
>
>
>
> I've got a home network setup with Vyatta OFR, my wireless router on one
> subnet and 3 servers on another.  I have been seeing a lot of buzz about BGP
> and RIP, and in spite of my reading and googling, I am not totally
> understanding what the difference is, what it is they provide, and mostly
> how one would benefit.  This might be because my network is comparatively
> small.
>
>
>
> So far I understand that these protocols are a way for routers to know their
> neighbors and calculate some metric that determines the quickest way to get
> to the desired destination.  This to me assumes that there could be several
> paths to the same place.  It also sounds like a router can know a neighbor's
> neighbor up to like 15 hops.  It even sounds like with these protocols if
> you unjack a router in a certain network topology and jack it in somewhere
> else, the router will re-learn where it is at and start routing stuff
> correctly and automagically.
>
>
>
> Is this all +/- correct?
>
>
>
> I suppose it would be difficult to answer given lack of familiarity with my
> network, so please excuse.  This has been quite an enjoyable hobby learning
> about networking and the underpinnings therein.
>
>
>
> Thanks!
>
>
>
> Todd
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] I broke all logging-- need help to restore it

[Justin Fletcher]

The default is minimal:

charon:~# cat /etc/syslog.conf
*.warning   /var/log/messages

And by default, there's no syslog configuration in the Vyatta
configuration file.

Best,
Justin

On Dec 17, 2007 3:33 PM,  <[EMAIL PROTECTED]> wrote:
> All,
>
> In my attempts to log firewall traffic (what I block and log) to another file 
> or syslog server, I have apparently failed and stopped all firewall logging 
> attempts. The router/firewall is still working properly, but now instead of 
> having to dig through the messages file for just firewall entries (grepping), 
> I get nothing. In fact, my /var/log/messages doesn't contain any entries at 
> all now.
>
> Could someone post the default the syslog.conf file and whatever I need to 
> specify on the acutal vyatta configuration for the defaults?
>
> I'd like to get back to where I was in logging.
>
> Thanks a lot,
>
> Aaron
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Advises on configuring BGP

[Justin Fletcher]

It's hard to tell without the full configuration, but remember that you need
both a route out, as well as the rest of the internet needs to be able to
find their way back to you.  You can check to see if you're reachable
using an external traceroute; see www.traceroute.org to check and see
if you're reachable.

Best,
Justin

On Dec 17, 2007 2:05 AM, Poh Yong Hwang <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have managed to setup the BGP session with my peer and also based on the
> topic on Originating a Route to eBGP neighbors to announce my IP ranges.  I
> have set my eth1 ip to be XX.XX.XX.1/21 and connect one server directly to
> eth1 for testing. Setting XX.XX.XX.2 with subnet of 255.255.248.0 and
> XX.XX.XX.1 for default gateway on the server itself, I cannot go out of the
> internet (Cannot surf net using that server). Eth0 is link with the UTP
> cable provided by upstream for peering
>
> Is this the correct way to set it up?
>
> Please advise
>
> Thanks
>
> Regards
> Yongsan
>
>
>
> On Dec 14, 2007 12:24 PM, Poh Yong Hwang < [EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > I have read the docs that was available but still have a few questions in
> mind. I have a UTP cable that was provided by the provider that I would like
> to peer with so I have plug it into my eth0. So what IP address should I set
> on my eth0? Where can I set the IP range XX.XX.XX.XX/21 that I want to
> announce?
> >
> > Please advise.
> >
> > Thanks!
> >
> > Yongsan
> >
> >
> >
> >
> >
> > On Dec 12, 2007 12:03 AM, Justin Fletcher < [EMAIL PROTECTED] > wrote:
> >
> > > Certainly; there's documentation with examples from
> > > http://www.vyatta.com/documentation/index.php or
> > > http://www.vyatta.com/twiki/bin/view/Community/DocumentationSet.
> > >
> > > Best,
> > > Justin
> > >
> > >
> > >
> > >
> > > On Dec 10, 2007 8:18 PM, Poh Yong Hwang <[EMAIL PROTECTED]> wrote:
> > > > Hi,
> > > >
> > > > Thanks! I am a noob in setting up BGP and we have the following info
> from
> > > > our upstream provider
> > > >
> > > > Upstream Router Server IP Address
> > > > Customer Primary Interface Address
> > > > Upstream Secondary Router Server IP Address
> > > > Customer Secondary Interface Address
> > > >
> > > > Plus my ASN number as well as my IP range XX.XX.XX.XX/21
> > > >
> > > > So is all these information be enough to configure it? Is there any
> examples
> > > > I can follow?
> > > >
> > > > Thanks!
> > > >
> > > > Yongsan
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Dec 11, 2007 11:33 AM, Justin Fletcher <[EMAIL PROTECTED]> wrote:
> > > > > Well, yes - Vyatta has full BGP support, so you'll be able to peer
> > > > > with your provider.
> > > > >
> > > > > Best,
> > > > > Justin
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Dec 10, 2007 7:26 PM, Poh Yong Hwang < [EMAIL PROTECTED]> wrote:
> > > > > > Hi,
> > > > > >
> > > > > > New here and to Vynatta and hope to get advises on getting this
> up. I
> > > > wish
> > > > > > to setup a BGP router for our current setup (We have got our ASN
> number,
> > > > IP
> > > > > > range) and we will peer with our upstream provider for MLPA.
> > > > > >
> > > > > > Just some simple BGP routes for testing purposes. So just
> wondering if
> > > > > > Vynatta is able to do that?
> > > > > >
> > > > > > Thanks!
> > > > > >
> > > > > > Yongsan
> > > > > >
> > > > > > ___
> > > > > > Vyatta-users mailing list
> > > > > > Vyatta-users@mailman.vyatta.com
> > > > > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] VRRP Confusion

[Justin Fletcher]

Ah, yes - you can't actually change the MAC on some hardware, so you end
up in this confused state and only see packets destined for the interface in
promiscuous mode (hence the suggestion to disable the virtual MAC . . .)

Justin

On Dec 13, 2007 12:29 PM, Allan Leinwand <[EMAIL PROTECTED]> wrote:
> A thought here that may help cut through some of the confusion.  I think
> that when you run tcpdump on the interface it places that interface into
> promiscuous mode. When in this mode, it can respond to pings to both the
> real IP address on the Ethernet and the virtual IP address (all packets are
> being received by the interface so when it sees one for it's own IP
> addresses, it responds). However, when the interface is running VRRP and in
> non-promiscuous mode I am unsure if the real IP and the virtual IP both
> respond to pings.
>
> Final caveat: I have not tried any of this recently, so with my advice YMMV.
>
> Thanks,
>
> allan
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]  On Behalf Of Stig
> Thormodsrud
> Sent: Thursday, December 13, 2007 12:23 PM
> To: 'Daniel Stickney'; vyatta-users@mailman.vyatta.com; 'Daniel Stickney';
> vyatta-users@mailman.vyatta.com
>
> Subject: Re: [Vyatta-users] VRRP Confusion
>
> I wonder if this might be solved with the disable-vmac setting?
>
> stig
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:vyatta-users-
> > [EMAIL PROTECTED] On Behalf Of Daniel Stickney
> > Sent: Wednesday, December 12, 2007 2:47 PM
> > To: vyatta-users@mailman.vyatta.com
> > Subject: [Vyatta-users] VRRP Confusion
> >
> > Hello everyone,
> >
> > I used google to search the mail list archive, but didn't get any
> > results for my issue. This is my second day working on the problem and
> > my colleagues don't have any suggestions. This post is a little long,
> > but I hope thorough enough to give all relevant information.
> > Here is my setup:
> >  vyatta01 - eth0:192.168.2.50, eth1:192.168.10.3
> >  vyatta02 - eth0:192.168.2.51, eth1:192.168.10.2
> >  laptop01 - eth0:192.168.10.11
> >
> > Laptop01 is connected to a switch, which also has cables from eth1 on
> > both vyatta01 and vyatta02 connected. Eth0 on both vyatta01 and
> > vyatta02 are connected into the main 192.168.2.0/24 network which has
> > internet connectivity. With a base configuration of a default route to
> > 192.168.2.21 on both vyatta01 and vyatta02, and the above IPs assigned
> > to their respective network cards, I can ping 192.168.10.2 and
> > 192.168.10.3 from laptop01; and I can ping 192.168.10.2 from vyatta01,
> > and I can ping 192.168.10.3 from vyatta02. Basically, everything can
> > ping everything.
> >
> > I then proceed to setup VRRP between vyatta01 and vyatta02 with the
> > following config:
> > --Vyatta02--
> > set interfaces ethernet eth1 vrrp vrrp-group 10 set interfaces
> > ethernet eth1 vrrp virtual-address 192.168.10.1 set interfaces
> > ethernet eth1 vrrp preempt true set interfaces ethernet eth1 vrrp
> > priority 150 commit
> > --Vyatta01--
> > set interfaces ethernet eth1 vrrp vrrp-group 10 set interfaces
> > ethernet eth1 vrrp virtual-address 192.168.10.1 set interfaces
> > ethernet eth1 vrrp preempt true set interfaces ethernet eth1 vrrp
> > priority 20 commit
> >
> > So vyatta02 is the master, VIP is 192.168.10.1. Immediately, and as
> > expected, I see in the output of "show vrrp" that vyatta02 considers
> > itself the master, and vyatta01 sees itself as the backup. In a
> > tcpdump from laptop01 I can see the VRRPv2 advertisements from
> > vyatta02 every second. At this time from laptop01 I am unable to ping
> > 192.168.10.1 or 192.168.10.2, but I can ping 192.168.10.3. The arp
> > table on laptop01 shows the following:
> > # arp -n
> > Address  HWtype  HWaddress   Flags
> > MaskIface
> > 192.168.10.3 ether   00:1A:A0:2A:04:0A
> > C eth0
> > 192.168.10.1 ether   00:00:5E:00:01:0A
> > C eth0
> > 192.168.10.2 ether   00:00:5E:00:01:0A
> > C eth0
> >
> >  From vyatta01, I am also unable to ping 192.168.10.1 and 192.168.10.2.
> > What is causing me great confusion is if on vyatta02 I login as root
> > and execute a "tcpdump -i eth1", instantly my pings from laptop01 and
> > vyatta01 to both 192.168.10.1 and 192.168.10.2 start getting responses.
> > As soon as I ctrl-c the tcpdump on vyatta02, the ping responses stop
> > again.
> >
> > If I reconfigure the VRRP priority of vyatta02 to be lower than
> > vyatta01, they change over to vyatta01 being the master, and vyatta02
> > as the backup. At this time from laptop01 I am able to ping
> > 192.168.10.1,
> > 192.168.10.2 and 192.168.10.3. In a tcpdump on laptop01 I see the VRRP
> > advertisements coming from 192.168.10.3 as expected. The arp table on
> > laptop01 now looks like this:
> > # arp -n
> > Address  HWtype  HWaddress   Flags
> > Mask   

Re: [Vyatta-users] IPsec and VRRP problem

[Justin Fletcher]

I'll definitely take you up on that, given the opportunity!

Justin

On Dec 13, 2007 2:24 AM, Senad Uka <[EMAIL PROTECTED]> wrote:
> Thank you - it finally works :)
> If you ever come to Bosnia (small country in the heart of europe),
> I'll buy you cevapi ;)
> http://en.wikipedia.org/wiki/%C4%86evap%C4%8Di%C4%87i
>
> 2007/12/12, Justin Fletcher <[EMAIL PROTECTED]>:
>
> > Ah, piffle - looks like that bug was fixed after VC3 was released.  You need
> > to correct /opt/vyatta/sbin/vpn-config.pl .You can get the corrected
> > version from
> > http://suva.vyatta.com/git/?p=ofr.git;a=blob_plain;f=cli/scripts/vpn/vpn-config.pl;hb=HEAD
> > or you can just comment out the check, if you're
> > comfortable with perl.
> >
> > Best,
> > Justin
> >
> > On 12/12/07, Senad Uka <[EMAIL PROTECTED]> wrote:
> > > Now we have found the right one and again we have the same problem.
> > >
> > > I configured the router EXACTLY as it is written in the manual,
> > > clustering chapter :)
> > > But still, even if the cluster is up and running and I can ping the
> > > cluster ip adresses
> > > it doesn't let me set local ip on the ipsec peer configuration to the
> > > cluster ip address complaining that ip address is not address of the
> > > interface or cluster address ... I have attached the configuration of
> > > the first router
> > > Currently i set the local-ip to the pysical interface's ip so i can
> > > commit and save the config ...
> > > also i didn't setup the second monitor node but as I understand, that
> > > should not be the problem.
> > > Configuration of second router is identical with respective interface
> > > ip addresses changed (and has the same problem with local-ip) ...
> > >
> > > On Dec 11, 2007 5:25 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote:
> > > > Certainly.  Let me know if you need more information (though there's a 
> > > > new
> > > > clustering chapter in the documentation for this :-) )
> > > >
> > > > Best,
> > > > Justin
> > > >
> > > >
> > > > On Dec 11, 2007 8:22 AM, Senad Uka <[EMAIL PROTECTED]> wrote:
> > > > > Thank you for the quick answer.
> > > > >
> > > > >
> > > > > On Dec 11, 2007 5:11 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote:
> > > > > > It is; clustering support was added recently exactly for scenarios 
> > > > > > such as this.
> > > > > > You'll need to set up WEST and WEST backup as cluster members, 
> > > > > > define
> > > > > > the IP addresses, and set up IPSec as the failover service.  This 
> > > > > > will actually
> > > > > > be using clustering instead of VRRP for your virtual address 
> > > > > > failover.
> > > > > >
> > > > > > Best,
> > > > > > Justin
> > > > > >
> > > > > >
> > > > > > On Dec 11, 2007 6:28 AM, Senad Uka <[EMAIL PROTECTED]> wrote:
> > > > > > > Hello.
> > > > > > >
> > > > > > > I am trying to setup a network similar to the one in the 
> > > > > > > configuration
> > > > > > > manual under pre-shared key IPSEC VPN settings section, but 
> > > > > > > adding a
> > > > > > > VRRP backup router to the router named WEST in the manual (page 
> > > > > > > 231).
> > > > > > >
> > > > > > >| SERVER |
> > > > > > >  192.168.40.7/24
> > > > > > >|
> > > > > > >|
> > > > > > >*  (virtual IP: 192.168.40.20)
> > > > > > > /  \
> > > > > > >   /  \
> > > > > > > /  \
> > > > > > > 192.168.40.6/24  192.168.40.5/24
> > > > > > >  | WEST |  | WEST backup |
> > > > > > >   192.0.2.2/26 192.168.0.2.3/26
> > > > > > >\/
> > > > > > >  \ /
> > > > > > >\ /
> >

Re: [Vyatta-users] R: R: Routing problem

[Justin Fletcher]

No problem - we all make them :-)

Justin

On 12/12/07, Andrea Zaini <[EMAIL PROTECTED]> wrote:
> ok ok !
>
> my error !
>
> sorry !   ;)
>
> -Messaggio originale-
> Da: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] conto di Andrea
> Zaini
> Inviato: mercoledì 12 dicembre 2007 9.18
> A: [EMAIL PROTECTED]
> Oggetto: [Vyatta-users] R: Routing problem
>
>
>
> Details :
>
>
>   ExternalInternal   eth0  eth1
> .2   169.68.1  68.1068.869.10
> Router|--|FW| 
> --|Vyatta||PC| 192.168.69.1 - 
> Test2 Network
> 192.169.68.x  | Def GW : .68.10   
>GW: 192.168.69.10
>|   DHCP for Test2 Network
>  |
>|Test1 Network|
>   192.168.68.x
>   GW: 192.168.68.10
>
>
> In FW static route :
> # IP   Mask  Gateway
> Device Distance
> 1192.168.69.0255.255.255.0   192.168.68.8internal 
>  1
> 2   0.0.0.0     0.0.0.0    192.169.68.2  external 
>  2
>
>
> Thanks !
>
>
> -Messaggio originale-
> Da: Justin Fletcher [mailto:[EMAIL PROTECTED]
> Inviato: martedì 11 dicembre 2007 18.02
> A: Andrea Zaini
> Cc: [EMAIL PROTECTED]
> Oggetto: Re: [Vyatta-users] Routing problem
>
>
> Do the systems have their default gateway set to the Vyatta?  Is it the 
> directly
> connected interface?  Looking at your DHCP config, only systems on the .69
> network would be able to reach the .68, but those on the .68 wouldn't be able
> to reach the .69 network, unless their default gateway is configured
> with a static address.
>
> Not sure what the production network is --
>
> Justin
>
> On Dec 11, 2007 8:51 AM, Andrea Zaini <[EMAIL PROTECTED]> wrote:
> > I installed a router vyatta between Network Test1 192.168.68.0/24 and a 
> > Network Test2 192.168.69.0/24
> > >From the PC in the network test i can start Outlook, program management 
> > >etc. He can do some ping towards networked computer... but not at all the 
> > >PC in Production Network !
> >
> > No  firewall configured !
> >
> > Thanks everyone!
> >
> >
> >
> > |FW| --|Vyatta||PC|   
> > 192.168.69.1 - Test2 Network
> >   |
> >   |
> >   |
> >|Test1 Network|
> >  192.168.68.x
> >
> >
> >
> >  <>
> >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> >
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] IPsec and VRRP problem

[Justin Fletcher]

Ah, piffle - looks like that bug was fixed after VC3 was released.  You need
to correct /opt/vyatta/sbin/vpn-config.pl .You can get the corrected
version from
http://suva.vyatta.com/git/?p=ofr.git;a=blob_plain;f=cli/scripts/vpn/vpn-config.pl;hb=HEAD
or you can just comment out the check, if you're
comfortable with perl.

Best,
Justin

On 12/12/07, Senad Uka <[EMAIL PROTECTED]> wrote:
> Now we have found the right one and again we have the same problem.
>
> I configured the router EXACTLY as it is written in the manual,
> clustering chapter :)
> But still, even if the cluster is up and running and I can ping the
> cluster ip adresses
> it doesn't let me set local ip on the ipsec peer configuration to the
> cluster ip address complaining that ip address is not address of the
> interface or cluster address ... I have attached the configuration of
> the first router
> Currently i set the local-ip to the pysical interface's ip so i can
> commit and save the config ...
> also i didn't setup the second monitor node but as I understand, that
> should not be the problem.
> Configuration of second router is identical with respective interface
> ip addresses changed (and has the same problem with local-ip) ...
>
> On Dec 11, 2007 5:25 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote:
> > Certainly.  Let me know if you need more information (though there's a new
> > clustering chapter in the documentation for this :-) )
> >
> > Best,
> > Justin
> >
> >
> > On Dec 11, 2007 8:22 AM, Senad Uka <[EMAIL PROTECTED]> wrote:
> > > Thank you for the quick answer.
> > >
> > >
> > > On Dec 11, 2007 5:11 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote:
> > > > It is; clustering support was added recently exactly for scenarios such 
> > > > as this.
> > > > You'll need to set up WEST and WEST backup as cluster members, define
> > > > the IP addresses, and set up IPSec as the failover service.  This will 
> > > > actually
> > > > be using clustering instead of VRRP for your virtual address failover.
> > > >
> > > > Best,
> > > > Justin
> > > >
> > > >
> > > > On Dec 11, 2007 6:28 AM, Senad Uka <[EMAIL PROTECTED]> wrote:
> > > > > Hello.
> > > > >
> > > > > I am trying to setup a network similar to the one in the configuration
> > > > > manual under pre-shared key IPSEC VPN settings section, but adding a
> > > > > VRRP backup router to the router named WEST in the manual (page 231).
> > > > >
> > > > >| SERVER |
> > > > >  192.168.40.7/24
> > > > >|
> > > > >|
> > > > >*  (virtual IP: 192.168.40.20)
> > > > > /  \
> > > > >   /  \
> > > > > /  \
> > > > > 192.168.40.6/24  192.168.40.5/24
> > > > >  | WEST |  | WEST backup |
> > > > >   192.0.2.2/26 192.168.0.2.3/26
> > > > >\/
> > > > >  \ /
> > > > >\ /
> > > > >  \ /
> > > > > *  (virtual IP: 192.0.2.1)
> > > > > |
> > > > > |
> > > > > |
> > > > >192.0.2.33/26
> > > > >   | EAST |
> > > > >192.168.60.8/24
> > > > >|
> > > > >|
> > > > >  192.168.60.7/24
> > > > > | CLIENT |
> > > > >
> > > > > Client communicates with server through IPSEC tunnel between EAST and
> > > > > WEST routers. IF the WEST router goes down WEST backup should take
> > > > > over.
> > > > > I have setup the routers according to manual and it worked. When I
> > > > > setup VRRP on the WEST, and set the ipsec peer on the EAST  to the
> > > > > virtual IP - the tunnel cannot be established.
> > > > > >From the debug data for the ipsec I can see that the EAST is 
> > > > > >expecting
> > > > > a tunnel 192.68.60/24==

Re: [Vyatta-users] Routing problem

[Justin Fletcher]

Do the systems have their default gateway set to the Vyatta?  Is it the directly
connected interface?  Looking at your DHCP config, only systems on the .69
network would be able to reach the .68, but those on the .68 wouldn't be able
to reach the .69 network, unless their default gateway is configured
with a static address.

Not sure what the production network is --

Justin

On Dec 11, 2007 8:51 AM, Andrea Zaini <[EMAIL PROTECTED]> wrote:
> I installed a router vyatta between Network Test1 192.168.68.0/24 and a 
> Network Test2 192.168.69.0/24
> >From the PC in the network test i can start Outlook, program management etc. 
> >He can do some ping towards networked computer... but not at all the PC in 
> >Production Network !
>
> No  firewall configured !
>
> Thanks everyone!
>
>
>
> |FW| --|Vyatta||PC|   
> 192.168.69.1 - Test2 Network
>   |
>   |
>   |
>|Test1 Network|
>  192.168.68.x
>
>
>
>  <>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] IPsec and VRRP problem

[Justin Fletcher]

It is; clustering support was added recently exactly for scenarios such as this.
You'll need to set up WEST and WEST backup as cluster members, define
the IP addresses, and set up IPSec as the failover service.  This will actually
be using clustering instead of VRRP for your virtual address failover.

Best,
Justin

On Dec 11, 2007 6:28 AM, Senad Uka <[EMAIL PROTECTED]> wrote:
> Hello.
>
> I am trying to setup a network similar to the one in the configuration
> manual under pre-shared key IPSEC VPN settings section, but adding a
> VRRP backup router to the router named WEST in the manual (page 231).
>
>| SERVER |
>  192.168.40.7/24
>|
>|
>*  (virtual IP: 192.168.40.20)
> /  \
>   /  \
> /  \
> 192.168.40.6/24  192.168.40.5/24
>  | WEST |  | WEST backup |
>   192.0.2.2/26 192.168.0.2.3/26
>\/
>  \ /
>\ /
>  \ /
> *  (virtual IP: 192.0.2.1)
> |
> |
> |
>192.0.2.33/26
>   | EAST |
>192.168.60.8/24
>|
>|
>  192.168.60.7/24
> | CLIENT |
>
> Client communicates with server through IPSEC tunnel between EAST and
> WEST routers. IF the WEST router goes down WEST backup should take
> over.
> I have setup the routers according to manual and it worked. When I
> setup VRRP on the WEST, and set the ipsec peer on the EAST  to the
> virtual IP - the tunnel cannot be established.
> >From the debug data for the ipsec I can see that the EAST is expecting
> a tunnel 192.68.60/24===192.0.2.33...192.0.2.1===192.168.40.0/24 ,
> while the WEST doesn't use it's virtual address and expects
> 192.168.40.0/24 ===192.0.2.2...192.0.2.33===192.68.60/24 so it cannot
> finish the phase 2 negotiation ...
> In order to solve it, I tried to setup the local-ip in ipsec
> configuration on the WEST side to virtual IP address (192.0.2.1) but i
> cannot commit the changes since vyatta does not recognize it as
> address of an interface
> (Message: Local IP specified for peer "192.0.2.33" has not been
> configured in any of the ipsec interfaces or clustering.)
>
> Is my requested behaviour even possible to achieve?  Am I missing something ?
> --
> LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Advises on configuring BGP

[Justin Fletcher]

Certainly; there's documentation with examples from
http://www.vyatta.com/documentation/index.php or
http://www.vyatta.com/twiki/bin/view/Community/DocumentationSet.

Best,
Justin

On Dec 10, 2007 8:18 PM, Poh Yong Hwang <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Thanks! I am a noob in setting up BGP and we have the following info from
> our upstream provider
>
> Upstream Router Server IP Address
> Customer Primary Interface Address
> Upstream Secondary Router Server IP Address
> Customer Secondary Interface Address
>
> Plus my ASN number as well as my IP range XX.XX.XX.XX/21
>
> So is all these information be enough to configure it? Is there any examples
> I can follow?
>
> Thanks!
>
> Yongsan
>
>
>
>
>
> On Dec 11, 2007 11:33 AM, Justin Fletcher <[EMAIL PROTECTED]> wrote:
> > Well, yes - Vyatta has full BGP support, so you'll be able to peer
> > with your provider.
> >
> > Best,
> > Justin
> >
> >
> >
> >
> > On Dec 10, 2007 7:26 PM, Poh Yong Hwang < [EMAIL PROTECTED]> wrote:
> > > Hi,
> > >
> > > New here and to Vynatta and hope to get advises on getting this up. I
> wish
> > > to setup a BGP router for our current setup (We have got our ASN number,
> IP
> > > range) and we will peer with our upstream provider for MLPA.
> > >
> > > Just some simple BGP routes for testing purposes. So just wondering if
> > > Vynatta is able to do that?
> > >
> > > Thanks!
> > >
> > > Yongsan
> > >
> > > ___
> > > Vyatta-users mailing list
> > > Vyatta-users@mailman.vyatta.com
> > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > >
> > >
> >
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Advises on configuring BGP

[Justin Fletcher]

Well, yes - Vyatta has full BGP support, so you'll be able to peer
with your provider.

Best,
Justin

On Dec 10, 2007 7:26 PM, Poh Yong Hwang <[EMAIL PROTECTED]> wrote:
> Hi,
>
> New here and to Vynatta and hope to get advises on getting this up. I wish
> to setup a BGP router for our current setup (We have got our ASN number, IP
> range) and we will peer with our upstream provider for MLPA.
>
> Just some simple BGP routes for testing purposes. So just wondering if
> Vynatta is able to do that?
>
> Thanks!
>
> Yongsan
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Restricting traffic between networks

[Justin Fletcher]

While obvious, make certain that the computers on the 10.20.0.0/24
have the Vyatta
router as their default gateway --

Justin

On Dec 10, 2007 12:39 PM, Lance Franklin <[EMAIL PROTECTED]> wrote:
> After reading some of the recent posts and configuring only one
> interface, I have gotten this to work.
>
> With the below configuration, I can remote desktop from the
> 10.10.0.0/24 network to computers on the 10.20.0.0/24 network. The
> computers on the 10.20.0.0/24 network cannot get to any other network.
>   I may go back and add a firewall rule to the 10.20.0.0/24 interface
> and only allow established comunication into the router.
>
>  ethernet eth0 {
>  disable: false
>  discard: false
>  description: "Production Network"
>  hw-id: 00:0e:0c:b8:4d:12
>  duplex: "auto"
>  speed: "auto"
>  address 10.10.0.199 {
>  prefix-length: 24
>  disable: false
>  }
>  firewall {
>  in {
>  name: "Prod2Dev"
>  }
>  }
>  }
>
>
>
> firewall {
>  log-martians: "enable"
>  send-redirects: "disable"
>  receive-redirects: "disable"
>  ip-src-route: "disable"
>  broadcast-ping: "disable"
>  syn-cookies: "enable"
>  name Prod2Dev {
>  description: "Production to Development"
>  rule 1 {
>  description: "Remote Desktop"
>  protocol: "tcp"
>  action: "accept"
>  log: "enable"
>  source {
>  network: "10.10.0.0/24"
>  }
>  destination {
>  network: "10.20.0.0/24"
>  port-number 3389
>
>  }
>  }
>  }
>
>
>
>
>
>
> Quoting Justin Fletcher <[EMAIL PROTECTED]>:
>
> > You also need to apply the firewall rules to an interface, as in
> >
> > firewall {
> > in {
> > name: "inbound"
> > }
> > local {
> > name: "inbound"
> > }
> > }
> >
> > In the above case, it's for inbound traffic, and traffic destined for
> > the router itself.
> >
> > Also remember that traffic will flow in both directions, unless you
> > just want to block the inbound traffic from the development network.
> >
> > Your current rule 4 prevents new connections - as well as everything else 
> > ;-)
> >
> > Looks like your rules 1-3 should have the matching source and
> > destination networks as rule 4; otherwise, that inbound traffic will
> > only match rule 4, and not match one of the earlier rules for
> > permitted traffic.
> >
> > Best,
> > Justin
> >
> > You can do a "show firewall" to see the rules on the system, as well
> > as enable logging for a rule to see where the traffic is being
> > dropped.
> >
> > Justin
> >
> > On Dec 6, 2007 3:42 PM, Lance Franklin <[EMAIL PROTECTED]> wrote:
> >> After reading through the Quick Guide to Configuration Statements, I see:
> >>  state {
> >> established: [enable|disable]
> >> new: [enable|disable]
> >> related: [enable|disable]
> >> invalid: [enable|disable]
> >> }
> >>
> >> How can I add this to my rule 4 to prevent new connections to the work
> >> network from the development network?
> >>
> >> Would it be:
> >>
> >>rule 4 {
> >>description: "10.10.0.0/24"
> >>protocol: "all"
> >>state {
> >> new: enable
> >>}
> >>action: "drop"
> >>log: "disable"
> >>source {
> >>network: "10.20.0.0/24"
> >>}
> >>destination {
> >>network: "10.10.0.0/24"
> >>}
> >>}
> >>
> >>
> >>
> >>
> >>
> >>
> >> ___
> >> Vyatta-users mailing list
> >> Vyatta-users@mailman.vyatta.com
> >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>
> >
>
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Restricting traffic between networks

[Justin Fletcher]

You also need to apply the firewall rules to an interface, as in

firewall {
in {
name: "inbound"
}
local {
name: "inbound"
}
}

In the above case, it's for inbound traffic, and traffic destined for
the router itself.

Also remember that traffic will flow in both directions, unless you
just want to block the inbound traffic from the development network.

Your current rule 4 prevents new connections - as well as everything else ;-)

Looks like your rules 1-3 should have the matching source and
destination networks as rule 4; otherwise, that inbound traffic will
only match rule 4, and not match one of the earlier rules for
permitted traffic.

Best,
Justin

You can do a "show firewall" to see the rules on the system, as well
as enable logging for a rule to see where the traffic is being
dropped.

Justin

On Dec 6, 2007 3:42 PM, Lance Franklin <[EMAIL PROTECTED]> wrote:
> After reading through the Quick Guide to Configuration Statements, I see:
>  state {
> established: [enable|disable]
> new: [enable|disable]
> related: [enable|disable]
> invalid: [enable|disable]
> }
>
> How can I add this to my rule 4 to prevent new connections to the work
> network from the development network?
>
> Would it be:
>
>rule 4 {
>description: "10.10.0.0/24"
>protocol: "all"
>state {
> new: enable
>}
>action: "drop"
>log: "disable"
>source {
>network: "10.20.0.0/24"
>}
>destination {
>network: "10.10.0.0/24"
>}
>}
>
>
>
>
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Logging Firewall

[Justin Fletcher]

"show firewall" will do it, or, as root, you can run iptables -L.

Best,
Justin

On Dec 4, 2007 7:52 AM, Andrea Zaini <[EMAIL PROTECTED]> wrote:
> Hi !
> I have created rules that are blocking web traffic to a range of IPs.
> There is a file where I can see the behavior of the Firewall?
>
> Thanks everyone!
>
>
>
>  Andrea Zaini
> (Gardesa S.p.A. - Sistemi Informativi)
> [EMAIL PROTECTED]
>   www.gardesa.com
>
> Questo messaggio elettronico e tutti gli allegati sono confidenziali e 
> destinati all'utilizzatore abituale dell'indirizzo e-mail al quale sono stati 
> indirizzati. Nessun altro è autorizzato a leggere questo messaggio, a 
> duplicarlo, a toccarlo, a modificarlo o a comunicarlo ad altri. Se avete 
> ricevuto questo messaggio per errore, siete pregati di rispedirlo al 
> mittente. Gardesa S.p.A. declina ogni responsabilità relativamente a codesto 
> messaggio, se è stato alterato, deformato, falsificato, stampato o ancora 
> inviato senza autorizzazione.
> This e-mail and its attachments are strictly confidendial and are solely 
> intended for the use of the designated recipient. No one else is authorised 
> to read, copy, use, or modify the message nor distribute it. If you have 
> received this message by mistake please return it to the sender. Gardesa 
> S.p.A. declines any responsibility for this message if altered, distorted, 
> forged, printed or sent out without authorisation.
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] documentation suggestion

[Justin Fletcher]

There's an easier way - just edit /opt/vyatta/sbin/vrrpd.init to pass
in the -n flag
to vrrpd; that disables the virtual MAC handling.

Best,
Justin

On Dec 3, 2007 4:02 PM, Jeff Stockett <[EMAIL PROTECTED]> wrote:
> FWIW, to verify if the r8169 driver problem was fixed, I built a
> 2.6.23.9 stock kernel and booted the router using it.  When I
> built it, I used the original config as a starting point:
>
> # cd /usr/src/linux
> # cp /boot/config.gz .
> # gunzip config.gz
> # make menuconfig  (and then load .config, check everything, and save)
>
> It boots up fine, but when it goes to start the router-mgr I get:
>
> Module ipt_rlsnmpstats not found.
>
> Is this a custom vyatta module maybe that isn't in the stock kernel?
> Should I just give up and buy some different NICs or is using a
> newer kernel potentially an option once this module issue is solved?
>
> Thanks,  Jeff
>
> P.S.  I apologize if I should have posted this to vyatta-hackers instead.
>
>
> - "Jeff Stockett" <[EMAIL PROTECTED]> wrote:
> > My vyatta test setup includes two identically equipped older athlon xp
> > systems where eth0=onboard nforce, eth[1-3]=r8169 based cards.
> > Everything is working fine on both systems, but this weekend I spent
> > about an hour trying to get VRRP to work for fail-over.  It works fine
> > on eth0 (onboard nforce) but I couldn't get it to work on eth1-3.  In
> > exploring the issue, it appears that not all drivers support the
> > ability to set the MAC address (which it appears VRRP needs).  I found
> > the following post:
> >
> > http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.22-git1.log
> >
> > It appears to indicate the r8169 driver didn't get the ability to set
> > its MAC address until sometime in kernel 2.6.22 which obviously does
> > me no good at the moment.
> >
> > This isn't a big deal financially, as the only reason I bought the
> > cards was that Fry's had them on sale for $4.99 each and they had a
> > low profile bracket which fit the cases I was using.  However, it
> > might be useful to put a blurb in the VRRP section of the
> > documentation stating that the card's driver must support setting the
> > MAC address for VRRP to work (and maybe even list which drivers
> > support and don't support it although I can see how this list might be
> > difficult to compile).
> >
> > FWIW, I also notice in:
> >
> > https://bugzilla.vyatta.com/show_bug.cgi?id=2370
> >
> > that the latest greatest build has support for a disable-vmac option -
> > but when I tried it in VC3 I just got syntax errors.  I'm assuming
> > this would fix the problem also as the card then wouldn't have to set
> > its MAC address but just use it as is?  How hard is it to upgrade to a
> > nightly build (we're still a few months away from production so I
> > wouldn't be too concerned with stability)?  Any suggestions other than
> > use a different card?  Thanks,  Jeff
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] regarding source code

[Justin Fletcher]

The application is independent of the Vyatta router functions, but
you'll need the Vyatta build environment defined by other packages.

If all you're looking for is iputils, you can get the Debian source
package, or iproute functions from
http://www.linux-foundation.org/en/Net:Iproute2 .

Best,
Justin

On Nov 30, 2007 12:02 AM, sridhar chom <[EMAIL PROTECTED]> wrote:
> can we compile iputils alone by just downloading
> iputils .does it need ofr also ?
>
>
>   
> 
> Be a better pen pal.
> Text or chat with friends inside Yahoo! Mail. See how.  
> http://overview.mail.yahoo.com/
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Error: 102 Command failed TCP/UDP Protocol must be specified

[Justin Fletcher]

Try VC3; there were a number of firewall issues addressed in that release.

Best,
Justin

On Nov 29, 2007 10:48 AM, Alain Kelder <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I'm trying to set protocols to "all" for a "destination" NAT rule. But Vyatta 
> complains that it wants either TCP or UDP. However, in this awesome how-to, 
> they did just that: 
> http://www.openmaniak.com/vyatta_case6.php#ancre-configurations
>
> Here's what I tried:
>
> [EMAIL PROTECTED] edit service nat rule 35
> [edit service/nat/rule/35]
> [EMAIL PROTECTED] set protocols all
> [edit service/nat/rule/35]
> [EMAIL PROTECTED] commit
> [edit service/nat/rule/35]
> Commit Failed
> 102 Command failed TCP/UDP Protocol must be specified
>
> What's weird is that 'tab' (auto complete) shows "all" as an option:
>
> [EMAIL PROTECTED] set protocols
> `protocols' is ambiguous.
> Possible completions:
>   <[Enter]>Execute this command
>   all  Perform NAT on all protocol traffic
>   icmp Perform NAT on ICMP traffic only
>   tcp  Perform NAT on TCP traffic only
>   udp  Perform NAT on UDP traffic only
>
>
> I'm able to set protocols to "udp" or "tcp", but not "all". What I'd like is 
> this:
>
> rule 35 {
> type: "destination"
> translation-type: "static"
> inbound-interface: "eth0"
> >   protocols: "all"
> source {
> network: 0.0.0.0/0
> }
> destination {
> address: 65.xx.xx.xx
> port-number 53
> }
> inside-address {
> address: 10.10.3.20
> }
> }
>
> Interestingly, Vyatta accepts "all" for a "source" NAT rule:
>
> rule 39 {
> type: "source"
> translation-type: "static"
> outbound-interface: "eth0"
> >   protocols: "all"
> source {
> address: 10.10.3.20
> }
> destination {
> network: 0.0.0.0/0
> }
> outside-address {
> address: 65.xx.xx.xx
> }
> }
>
> Any ideas?  Thanks a bunch in advance..  I'm at a loss!
>
> [EMAIL PROTECTED]> show version
> Version:VC2
> Built by:   [EMAIL PROTECTED]
> Built on:   200702080056 -- Thu Feb  8 00:56:19 UTC 2007
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users