Re: [Vyatta-users] How to use gcc for VC3
You'll need to edit /etc/apt/sources.list to point to a Debian repository, then install using apt-get. Best, Justin On Thu, Mar 20, 2008 at 2:19 AM, piyush sharma [EMAIL PROTECTED] wrote: Hi, I am using VC3. I need to compile a package on the Vyatta machine using gcc. I was not able to find it. Can you please help me out? Thanks, Piyush ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta-Hackers inactive?
It's still active - sometimes no one has a good answer (yet) :-) The build system for VC4 is a bit complex, and some of the details are still being worked out; it'll be posted when it's ready to go, which should be any day now. After all, you've got to be able to build a project to contribute to it :-) Best, Justin On Tue, Mar 4, 2008 at 10:47 AM, Venketesan [EMAIL PROTECTED] wrote: I am sorry if this is an inappropriate alias for the question. I was trying to ask some questions on the build of community edition of vyatta in the Vyatta hackers list as well as the forum. But i did not receive any response. Besides i also did not see any activity in there for the past week. Is the the list\forum inactive or is there some place else i should look. Thanks, Venkat ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Cluster heartbeat / change to ucast?
Not yet, but it is one of the enhancements requested in bug 2730 (https://bugzilla.vyatta.com/show_bug.cgi?id=2730). To keep it a permanent setting, you can modify the perl script that generates it; it's /opt/vyatta/sbin/vyatta-update-cluster.pl in VC4. Best, Justin On Tue, Mar 4, 2008 at 11:01 AM, Chad Hurley [EMAIL PROTECTED] wrote: Thanks for the reply. Do you know if it is possible to specify this in the Vyatta configuration so that you don't need to reconfigure it each time? -CH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Fletcher Sent: Tuesday, March 04, 2008 11:16 AM To: [EMAIL PROTECTED] Subject: Re: [Vyatta-users] Cluster heartbeat / change to ucast? Yes, you can edit the configuration directly; however, you'll need to modify it again on reboot as it's created from the Vyatta configuration. Best, Justin On Tue, Mar 4, 2008 at 4:43 AM, Chad Hurley [EMAIL PROTECTED] wrote: The heartbeat from my Vyatta cluster is creating errors on another cluster on my network. I would like to change the default bcast heartbeat to ucast. Does anyone know if it is save to edit the following file directly without any adverse affects? File: /etc/ha.d/ha.cf Current config: keepalive 1 deadtime 4 warntime 2 initdead 120 logfacility daemon bcast eth0 eth1 auto_failback off node riv1 riv2 ping 192.168.5.3 192.168.0.221 respawn hacluster /usr/lib/heartbeat/ipfail I would like to replace the bcast line with: ucast eth0 192.168.5.5 ucast eth1 192.168.0.252 Anyone had luck with this type of config? Thanks, Chad ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Problem sending prefixes to my upstream provider
On Fri, Feb 29, 2008 at 1:15 PM, Poh Yong Hwang [EMAIL PROTECTED] wrote: So the docs talking about Originating a route to eBGP Neighbours where it uses static instead of connected is not really correct? Sorry, trying to understand the difference between using a static route compared to using a connected method. Think of a connected route as one that's exists because you've defined an interface, and you're connected to that network. And interface of 192.168.2.3/24 with have a connected route of 192.168.2.0/24. A static route is one you define that's for a network that's remote to the router. Justin ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Booting from Live-CD
That's actually a harder problem - you can do it by changing where the system looks for configuration on boot, install to disk and then modify the files to change what's mounted and where the system looks for the configuration, or build from scratch and create your own LiveCD with the changes in it. In VC4, look in /etc/init.d/vyatta-ofr, /etc/default/vyatta, and /etc/default/vyatta-cfg. If you make the changes that let the system find the configuration on a flash drive, be sure to submit them back to the hackers list (or should that be forum??) for inclusion for others as well :-) Best, Justin On Tue, Feb 26, 2008 at 9:23 PM, Christopher Johnson [EMAIL PROTECTED] wrote: Is there anyway, other than floppy disk, to have the OFR get a configuration file on boot from CDROM? I'd love for it to be able to read from a USB thumb drive, load it from a TFTP site (use the standard boot methods to do so) or in anyway to get a configuration file into the system with out me being at the console. This is glendale VC4, Alpha 1, soon to be Alpha 2. Best, -Chris P.S. I did try load of an URL, and it died. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Booting from Live-CD
That's a nice idea. You'll still have to have a default location from which to start - which is the challenge of diskless systems :-) If On Fri, Feb 29, 2008 at 4:07 PM, Christopher Johnson [EMAIL PROTECTED] wrote: Thanks for the pointer to /etc/init.d/vyatta-ofr and /etc/default/vyatta. What I would likely do is have a config file that has the equivalent of a #include which tries a sequence of locations. /mnt/usb/config/config.boot, /mnt/flash/config/config.boot, /mnt/floppy/config/config.boot,/opt/vyatta/etc/config/config.boot By adding a simple Done or just having the config files overwrite each other in reasonable ways, we end up with a live CDROM that can boot on any machine yet find a configuration file. I'm actually going to have to look into a diskless version of Vyatta at some point. Thanks again for the pointers. Best, -Chris On Fri, Feb 29, 2008 at 6:33 PM, Justin Fletcher [EMAIL PROTECTED] wrote: That's actually a harder problem - you can do it by changing where the system looks for configuration on boot, install to disk and then modify the files to change what's mounted and where the system looks for the configuration, or build from scratch and create your own LiveCD with the changes in it. In VC4, look in /etc/init.d/vyatta-ofr, /etc/default/vyatta, and /etc/default/vyatta-cfg. If you make the changes that let the system find the configuration on a flash drive, be sure to submit them back to the hackers list (or should that be forum??) for inclusion for others as well :-) Best, Justin On Tue, Feb 26, 2008 at 9:23 PM, Christopher Johnson [EMAIL PROTECTED] wrote: Is there anyway, other than floppy disk, to have the OFR get a configuration file on boot from CDROM? I'd love for it to be able to read from a USB thumb drive, load it from a TFTP site (use the standard boot methods to do so) or in anyway to get a configuration file into the system with out me being at the console. This is glendale VC4, Alpha 1, soon to be Alpha 2. Best, -Chris P.S. I did try load of an URL, and it died. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Glendale Alpha 1 ERROR!!!
However, make sure it's not already filed before you do - this was bug 2478 :-) https://bugzilla.vyatta.com/show_bug.cgi?id=2478 Justin On Thu, Feb 28, 2008 at 10:42 AM, Dave Roberts [EMAIL PROTECTED] wrote: File it for the bug bounty contest! ;-) You are absolutely correct. Therefore the bug is: telnet is not properly mapped. *GRIN* Thanks for your help Stig. Best, -Chris ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] vrrp issues on VC3
Some systems have issues with the virtual MAC addresses - try the option to disable it. Best, Justin On Mon, Feb 25, 2008 at 8:35 AM, Tobias Orlamuende [EMAIL PROTECTED] wrote: Ken, You might have seen the vrrp priority of 150 for eth2 on R2 which was just a test and replaced with 20 since a few days, but the problem still exists. Anyone else? ;-) Cheers Tobias Ken Rozinsky schrieb: Hello, I'm in no way an expert but it looks to me like the priority on both your eth2 interfaces are set at 150. setting the second to 20 might fix it for you. Regards, Ken Tobias Orlamuende wrote: Yes, all interfaces are GBit, but connected to a 100 MBit/s switch. Interfaces are Intel 82571EB and 82573E/82573L /var/log/messages prints only errors like these ones: Feb 25 13:34:24 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:00:5e:00:01:04:08:06 Feb 25 13:35:25 localhost kernel: printk: 7 messages suppressed. Feb 25 13:35:25 localhost kernel: martian source 78.138.64.54 from 78.138.64.71, on dev eth0 Feb 25 13:35:25 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:00:5e:00:01:04:08:06 Feb 25 13:35:25 localhost kernel: martian source 78.138.64.54 from 78.138.64.71, on dev eth2 Feb 25 13:35:25 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:00:5e:00:01:04:08:06 Feb 25 13:35:25 localhost kernel: martian source 78.138.64.74 from 78.138.64.71, on dev eth0 Feb 25 13:35:25 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:00:5e:00:01:04:08:06 Feb 25 13:35:25 localhost kernel: martian source 78.138.64.74 from 78.138.64.71, on dev eth2 Feb 25 13:35:25 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:00:5e:00:01:04:08:06 Cheers Tobias Dave Strydom schrieb: are all the interfaces 1000Mbit interfaces? and if you login to the routers as root, what do you have in /var/log/messages ? - Dave On Mon, Feb 25, 2008 at 12:54 PM, Tobias Orlamuende [EMAIL PROTECTED] wrote: Hi all, I set up 2 routers with VC3 and want them to do vrrp. Setup of vrrp was done exactly as described in the documentation. Unfortunately vrrp doesn't seem to work properly. On both routers vrrp seems to act as a master. When connecting to one of the physical addresses of one of the routers, I get packetloss of about 50%. The other router is fine as well as their virtual IP. My setup looks as follows: Upstream via a small transfer-net 83.220.149.16/29 (eth0) The following networks are received through this transfer-net: 194.8.86.0/24 (eth2) 78.138.64.0/25 (eth1) Default-route points to our upstream-provider's router (83.220.149.17) Router1: [EMAIL PROTECTED] show interfaces loopback lo { } ethernet eth0 { description: upstream hw-id: 00:15:17:39:b6:8a address 83.220.149.19 { prefix-length: 29 broadcast: 83.220.149.23 } vrrp { vrrp-group: 3 virtual-address: 83.220.149.18 authentication: 123456 priority: 150 } } ethernet eth1 { description: old-PA hw-id: 00:15:17:39:b6:8b address 78.138.64.71 { prefix-length: 25 broadcast: 78.138.64.127 } vrrp { vrrp-group: 4 virtual-address: 78.138.64.1 priority: 150 } } ethernet eth2 { description: old-local hw-id: 00:30:48:91:96:06 address 194.8.86.1 { prefix-length: 24 broadcast: 194.8.86.255 } vrrp { vrrp-group: 2 virtual-address: 194.8.86.254 priority: 150 } } ethernet eth3 { hw-id: 00:30:48:91:96:07 } [edit] [EMAIL PROTECTED] show vrrp Physical interface: eth0, Address: 83.220.149.19 Interface state: up, Group: 3, State: master Priority: 150, Advertisement interval: 1s, Authentication type: simple Preempt: yes, VIP count: 1, VIP: 83.220.149.18 Advertisement timer: 3310s, Master router: 83.220.149.19 Virtual MAC: 00:00:5E:00:01:03 Physical interface: eth1, Address: 78.138.64.71 Interface state: up, Group: 4, State: master Priority: 150, Advertisement interval: 1s, Authentication type: none Preempt: yes, VIP count: 1, VIP: 78.138.64.1 Advertisement timer: 3310s, Master router: 78.138.64.71 Virtual MAC: 00:00:5E:00:01:04 Physical interface: eth2, Address: 194.8.86.1 Interface state: up, Group: 2, State: master Priority: 150, Advertisement interval: 1s, Authentication type: none Preempt: yes, VIP count: 1, VIP: 194.8.86.254
Re: [Vyatta-users] Clustering Causes Reboots
No, that's not intentional ;-) I haven't seen that before either - is there any information in the log files, or from show cluster status? Do you end up in a split-brain situation where the two systems can't exchange heartbeats? The reboot-on-panic option takes effect on kernel panic, so it shouldn't affect you here. Justin On Sun, Feb 24, 2008 at 2:55 PM, Ben Speckien [EMAIL PROTECTED] wrote: Hello I've been playing with clustering on VC3 (10/29/07) and I can't get it to work well. It seems that when one router moves from secondary to primary one or both router have to reboot. Is this supposed to happen? Furthermore, if I disconnect the secondary router the primary router or both routers reboot when I reconnect the secondary router. I have set system options reboot-on-panic to false. It doesn't seem like the auto-failback option does anything and sometimes the primary router reboots every time I try to set it to true. Does the hardware make a difference? Thanks, Ben ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] MIssing the sysServices.0 OID from the MIB
Yes, it's not in the SNMP configuration file, but it's easy to fix. As root, add to /etc/snmp/snmpd.conf: sysServices 4 which shows that up to and including the internet layer is supported. Then run /opt/vyatta/sbin/snmpd.init restart These are the commands for Glendale, but it'll either be the same or very similar for previous releases. I'll file a bug on it for you as well. Justin On Fri, Feb 22, 2008 at 3:11 PM, Philip McDonald [EMAIL PROTECTED] wrote: My OSS app is trying to discover a Vyatta NE and is being tripped-up by the lack of a sysServices OID (.1.3.6.1.2.1.1.7.0) in the mib. Why does vyatta lack this OID while all other commercial NEs have this included in their system mib? As a work-around I've tried using snmpset to set the sysService OID but it tells me that the OID doesn't exist and it won't add the OID by default. Should I try snmpconfig? If so, how would I solve this problem. Thanks, P ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta Crashing -- Have to reboot
Unfortunately, you need to restart the system to recover from these errors in this version. However, major changes have been made in Glendale, so you won't see these issues in the next release. Alpha 1 is available, so you can give it a try now. Justin On Thu, Feb 14, 2008 at 7:27 AM, [EMAIL PROTECTED] wrote: All, I have now been using vyatta at two of my locaitons (production) and it has been very promising. However, I have run into the problem where I essentially cannot do any more 'commits'. This can randomly happen on various things, but adding / removing an interface is definitley one of them. The only thing I can do to fix the issue is to reboot (init 6) the vyatta box and then add in my new configuration once it comes back up. I would like some help just troubleshooting / debugging, so I don't have to do a full restart to get back to a working condition. I am using VC 3. Below is an example log from /var/log/messages Feb 14 09:10:57 localhost xorp_fea: [ 2008/02/14 09:10:57 ERROR xorp_fea:7163 FEA +99 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/fea/ifconfig_set.cc push_config ] Interface error on eth0.398: interface not recognized Feb 14 09:10:57 localhost xorp_rtrmgr: [ 2008/02/14 09:10:57 ERROR xorp_rtrmgr:3936 LIBXORP +741 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/libxorp/run_command.cc done ] Command /opt/vyatta/sbin/commit_interface.sh: exited with exit status 255. Feb 14 09:10:57 localhost xorp_rtrmgr: [ 2008/02/14 09:10:57 ERROR xorp_rtrmgr:3936 RTRMGR +1647 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/task.cc execute_done ] Error found on program stderr! Feb 14 09:10:57 localhost xorp_rtrmgr: [ 2008/02/14 09:10:57 ERROR xorp_rtrmgr:3936 RTRMGR +701 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc commit_pass2_done ] Commit failed: Any suggestions would be appreciated. I believe what is 'fixing' my issue is restarting the CLI and possibly router program-- perhaps I can do that on the command line without restarting the entire machine? Thanks -Aaron ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Going to shell on Vyatta
However, changes made directly to /etc/passwd are not preserved on reboot, so you'd need to re-create the user account each time. Justin On Feb 11, 2008 3:44 AM, Davide Bologna [EMAIL PROTECTED] wrote: Usually the vyatta user is meant for router administration, so it have direct access to xorpsh, as configured in /etc/passwd. You can run the application from the root shell or, better, create a new user to run it. Remember that Vyatta is a specialized Linux, but is still Linux inside, so just useradd. Davide --- piyush sharma [EMAIL PROTECTED] ha scritto: Sorry Stig, my question was meant for Vyatta in general. I didn't edit the subject line earlier. I have to run an application on the linux on the Vyatta machine. For that I require to go to the shell prompt. I wanted to know how can I do that. I have logged in as user vyatta on the router. Please help me. Thanks, Piyush ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail: http://it.docs.yahoo.com/nowyoucan.html ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Going to shell on Vyatta
Log in as root; that'll give you the Linux shell. Best, Justin On Feb 10, 2008 9:09 PM, piyush sharma [EMAIL PROTECTED] wrote: Sorry Stig, my question was meant for Vyatta in general. I didn't edit the subject line earlier. I have to run an application on the linux on the Vyatta machine. For that I require to go to the shell prompt. I wanted to know how can I do that. I have logged in as user vyatta on the router. Please help me. Thanks, Piyush ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] interface names move
It's just the order they were initially discovered by the system, and it can vary. It's also one of the reasons there's the hw-id parameter in the interfaces section - that way the interface your prefer is locked to an interface name. If you want to change the order, change the hw-id entry, either through the configuration commands, or edit config.boot directly (I prefer the latter to cut and paste) and reboot. Justin On Feb 8, 2008 5:05 AM, Dave Strydom [EMAIL PROTECTED] wrote: I'm got two identical HP DL140 machines, both with additional Intel Dual Port 1000/PT cards. On the one machine (router 1) Onboard NIC 1 = eth0 Onboard NIC 2 = eth1 Intel NIC 1 = eth2 Intel NIC 2 - eth3 On the 2nd machine (router 2) Onboard NIC 1 = eth2 Onboard NIC 2 = eth3 Intel NIC 1 = eth0 Intel NIC 2 = eth1 How can two identical machines have the interface names switched around? - Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta running on appliance...
What's the last message before it hangs? Justin On Feb 7, 2008 2:12 PM, ken Felix [EMAIL PROTECTED] wrote: I'm doing the same but with a 2gb and 4gb fast Compact Flash. It runs great but I just notice a problem the last 2 days in my test lab and it ( host ) hangs at boot time. Could be y hardware or CF card or adpater. fwiw, Logic supply has shipped their servers to me but so far I've haven't received all of my new pieces for my project. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Possible OSPF problems
If you're pinging public - public, it's the same subnet, which means the devices are communicating directly, and not even going through the router, so OSPF shouldn't be an issue. Trace a traceroute from one of the devices in question, or see if you can get a packet capture. COULD be a switch, spanning tree issue, interface configuration mismatch or . . . Best, Justin On Feb 6, 2008 5:05 AM, Joe Pub [EMAIL PROTECTED] wrote: I think I have a problem with some OSPF routing. I have a small network setup (see attached image) which uses 2 OSPF areas, with 3 subnets. I have a LAN subnet (192.168.10.0/23, Area 0.0.0.1) and a DMZ subnet (172.20.0.0/23, Area 0.0.0.0) and a public subnet which is not configured using OSPF. I can connect and ping nodes from LAN -- DMZ no problem and can also ping from DMZ - Public no problem. But when I try to ping and connect to machines within my own public range LAN - Public I have some connectivity issues. Pings will take a while and time out, then eventually (2 - 10 seconds) it's like OSPF has figured how to get there and they works. If them hosts then have not been contacted in a while since it started working, I have the ping and connectivity problems again. Does anyone have any idea where I might be going wrong here? protocol config for the both internal routers below with respective OSPF and routing tables. If you need further information please let me know. Thank for the help. --- protocols { ospf4 { router-id: 10.1.1.1 rfc1583-compatibility: false ip-router-alert: false area 0.0.0.0 { area-type: normal interface eth1 { link-type: broadcast address 172.20.1.251 { priority: 128 hello-interval: 10 router-dead-interval: 40 interface-cost: 1 retransmit-interval: 5 transit-delay: 1 passive: false disable: false } } } area 0.0.0.1 { area-type: normal interface eth0 { link-type: broadcast address 192.168.11.253 { priority: 128 hello-interval: 10 router-dead-interval: 40 interface-cost: 1 retransmit-interval: 5 transit-delay: 1 passive: false disable: false } } } } static { disable: false } } Routes: 8/8, Paths: 8/8 0.0.0.0/0[ospf(1)] to 172.20.1.253via eth1 10.1.1.1/32[connected(0)] to 10.1.1.1 via lo 10.1.1.3/32[ospf(2)] to 172.20.1.253via eth1 10.1.1.4/32[ospf(2)] to 172.20.1.252via eth1 127.0.0.0/8[connected(0)] to 127.0.0.1 via lo 172.20.0.0/23[connected(0)] to 172.20.1.251 via eth1 192.168.10.0/23[connected(0)] to 192.168.11.253via eth0 192.168.11.254/32[connected(0)] to 192.168.11.254 via eth0 protocols { ospf4 { router-id: 10.1.1.2 rfc1583-compatibility: false ip-router-alert: false area 0.0.0.0 { area-type: normal interface eth1 { link-type: broadcast address 172.20.1.250 { priority: 128 hello-interval: 10 router-dead-interval: 40 interface-cost: 1 retransmit-interval: 5 transit-delay: 1 passive: false disable: false } } } area 0.0.0.1 { area-type: normal interface eth0 { link-type: broadcast address 192.168.11.252 { priority: 128 hello-interval: 10 router-dead-interval: 40 interface-cost: 1 retransmit-interval: 5 transit-delay: 1 passive: false disable: false } } }
Re: [Vyatta-users] Possible OSPF problems
Ah - my mistake in terminology translation :-) Since is IS running through the router, turn on tshark on one of the router interfaces, see what's on the (virtual) wire when you start a ping. Does the router even see it inbound through the virtual switch? Justin On Feb 6, 2008 5:05 AM, Joe Pub [EMAIL PROTECTED] wrote: I think I have a problem with some OSPF routing. I have a small network setup (see attached image) which uses 2 OSPF areas, with 3 subnets. I have a LAN subnet (192.168.10.0/23, Area 0.0.0.1) and a DMZ subnet (172.20.0.0/23, Area 0.0.0.0) and a public subnet which is not configured using OSPF. I can connect and ping nodes from LAN -- DMZ no problem and can also ping from DMZ - Public no problem. But when I try to ping and connect to machines within my own public range LAN - Public I have some connectivity issues. Pings will take a while and time out, then eventually (2 - 10 seconds) it's like OSPF has figured how to get there and they works. If them hosts then have not been contacted in a while since it started working, I have the ping and connectivity problems again. Does anyone have any idea where I might be going wrong here? protocol config for the both internal routers below with respective OSPF and routing tables. If you need further information please let me know. Thank for the help. --- protocols { ospf4 { router-id: 10.1.1.1 rfc1583-compatibility: false ip-router-alert: false area 0.0.0.0 { area-type: normal interface eth1 { link-type: broadcast address 172.20.1.251 { priority: 128 hello-interval: 10 router-dead-interval: 40 interface-cost: 1 retransmit-interval: 5 transit-delay: 1 passive: false disable: false } } } area 0.0.0.1 { area-type: normal interface eth0 { link-type: broadcast address 192.168.11.253 { priority: 128 hello-interval: 10 router-dead-interval: 40 interface-cost: 1 retransmit-interval: 5 transit-delay: 1 passive: false disable: false } } } } static { disable: false } } Routes: 8/8, Paths: 8/8 0.0.0.0/0[ospf(1)] to 172.20.1.253via eth1 10.1.1.1/32[connected(0)] to 10.1.1.1 via lo 10.1.1.3/32[ospf(2)] to 172.20.1.253via eth1 10.1.1.4/32[ospf(2)] to 172.20.1.252via eth1 127.0.0.0/8[connected(0)] to 127.0.0.1 via lo 172.20.0.0/23[connected(0)] to 172.20.1.251 via eth1 192.168.10.0/23[connected(0)] to 192.168.11.253via eth0 192.168.11.254/32[connected(0)] to 192.168.11.254 via eth0 protocols { ospf4 { router-id: 10.1.1.2 rfc1583-compatibility: false ip-router-alert: false area 0.0.0.0 { area-type: normal interface eth1 { link-type: broadcast address 172.20.1.250 { priority: 128 hello-interval: 10 router-dead-interval: 40 interface-cost: 1 retransmit-interval: 5 transit-delay: 1 passive: false disable: false } } } area 0.0.0.1 { area-type: normal interface eth0 { link-type: broadcast address 192.168.11.252 { priority: 128 hello-interval: 10 router-dead-interval: 40 interface-cost: 1 retransmit-interval: 5 transit-delay: 1 passive: false disable: false } } } } static { disable: true } } Routes: 7/7, Paths: 7/7
Re: [Vyatta-users] Transparent IP Mapping
Yes, the Vyatta will do this - with a LOT more control. Your Netopia is doing NAT for you; if you want it, you'll be able to configure it. By default, of course, NAT isn't configured on the Vyatta, so you'll have to set it up to get the results you want. Best, Justin On Feb 6, 2008 7:42 AM, Rob Menzies [EMAIL PROTECTED] wrote: I currently have a Netopia R910 supporting my network. My ISP has provided me with a /29 subnet. The Netopia permits these additional IP Addressed to be behind my R910 through what they call Transparent IP Mapping. These IP addressed live on the same switch as my 10.x.x.x/24 network. Does the Vyatta permit this? From what I've read, the VLAN looks like it will work, but some clarification would be appreciated. Here is the text from Netopia's site on the Transparent IP Mapping: If your ISP has assigned you multiple static IP addresses you may want to have one or more of these IP's assigned directly to hosts or servers behind the Netopia with NAT enabled. If you want to place a public IP onto the local workstation, (i.e. not a 192.168.1.x address), then this Quick Guide will take you through this process step-by-step. How this is done will be determined by the type of routing (or bridging) handled from the ISP. The IP's can be routed to the Ethernet interface of the router, or be bridged to you on the WAN interface. This configuration will transparently map your public IP addresses in a way that will allow you to configure workstations behind the router to hold these public IP addresses and make them publicly accessible, bypassing the NAT process on this secondary subnet. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] vLAN Switch
Definitely. It's part of the VLAN tag. Best, Justin On Feb 4, 2008 9:26 PM, Go Wow [EMAIL PROTECTED] wrote: Hey I Have configured vlan in vyatta and bought a vlan enabled switch its D-link DES-1226. I want to know when configuring the switch whether I need to give the VID in switch the same as the vLAN ID is created in vyatta? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Bandwidth limitation
Coming soon in a Glendale build near to you :-) Justin On Feb 4, 2008 9:26 PM, Dams [EMAIL PROTECTED] wrote: Hi, I would like to know if there is an option in vyatta to limit the bandwidth on specific ip or all ip ? Thanks -- Cordialement / Sincerely Dams ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] ps3
Port forwarding should be straight-forward with the Vyatta CLI; look for recent ssh examples on this list. Personally, I'd create a rule for each protocol and port/port range. Best, Justin On Feb 4, 2008 8:31 PM, Nathan McBride [EMAIL PROTECTED] wrote: Hey guys, I finally got my old comp which is running vyatta to now be a wireless vyatta router. So I can connect my Playstation 3 to the router and it goes on the network and most things work. However it only has what playstation calls nat3. This is because it isn't getting all the ports it needs. The playstation 3 needs: • TCP Ports: 80, 443, 5223, and 10070 - 10080 • UDP Ports: 3478, 3479, 3658, and 10070 I don't care about 80 and 443. However I really want to get nat2 working because I'm having issues with Unreal III. What would be the best way to do this? Can / should I create an iptables rule to make a DMZ zone? I had to make the firewall with iptables not vyatta cause I couldn't figure it out... :'( Should I just create a nat rule for each port and forward it to my playstation's ip after setting it as static? Thanks, Nate ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Firewall Logs
Yes, I've had it enabled and working before. The traffic needs to hit a firewall rule before it'll be logged; you may also need to adjust the global log level down from it's current default of warning to informational or lower. Justin On Feb 1, 2008 2:12 PM, Go Wow [EMAIL PROTECTED] wrote: But it doesn't show me the required information, did you try it? I want to make sure that somebody did try it and its working fro them cuz currently it isn't working for me :( . ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Managing different subnet with different gateway
To summarize, traffic does know anything about where it's been. There's no guarantee that traffic will go back the same route it came in; asymmetric routing is very common. All a router knows is the IP address of the destination packet it needs to forward; it'll then use its routing information to select the next hop router, when then makes it's own independent decision. It's a little simplified :-) but pretty much the case. So yes - think both directions - how the request packet comes in, and how the response packet is routed back. Best, Justin On Jan 31, 2008 11:13 AM, Daren Tay [EMAIL PROTECTED] wrote: Hi all, I've been toying with this mini project and have some quite interesting findings... problem persist somehow... help would be appreciated. btw.. these are for a web infrastructure setup purpose. Setup 01 x main router --- this is the router that is to manage 2 different subnet, and ensure that their outgoing traffic go by a fixed gateway, and not just the default gateway. 02 x laptop -- they simulate the 2 internal subnet 02 x small routers (one linksys, one vyatta) --- they simulate the different subnet of the outgoing connection, the gateways For the main router: --- eth0: 192.168.2.1 /24 -- to small router (vyatta) eth1: 192.168.3.1 /24 -- to small router (linksys) eth2: 192.168.20.1 /24 -- laptop1 (192.168.20.2) eth3: 192.168.30.1 /24 -- laptop2 (192.168.30.2) For the small routers :: vyatta :: LAN -- 192.168.2.2 WAN -- 192.168.1.232 Gateway -- 192.168.1.1 :: linksys :: LAN -- 192.168.3.2 WAN -- 192.168.1.233 Gateway -- 192.168.1.2 *Note: both gateways are separate ADSL modems So I go ahead and set them up normally, with default routing pointed to either one. Everything works fine. Both laptops can ping each other and can ping the gateway and beyond (internet). No problem. So I attempt to test the ip tool. IP Tool = Base on what was advice, I look through, tried and read... i create 2 ip route table (other than the default). I added the following ip route: ip route add default via 192.168.2.2 dev eth0 tab 1 ip route add default via 192.168.3.2 dev eth1 tab 2 As you can see, table 1 is for routing out through the vyatta small router, table 2 through the link sys small router. I then add the following: ip rule add from 192.168.20.0/24 tab 1 priority 500 ip rule add from 192.168.30.0/24 tab 2 priority 600 At this point, nothing works anymore. My 2 subnet cannot ping out anymore. I then copied the entries from ip route show and put them into table1 and table2. This way, the routes for ip route show, ip route show table 1, ip route show table 2 are the same, except the default path. Btw, there is no default path in ip route show. Problem - After doing the above... the default path via the linksys router works fine... but the vyatta (small router) totally cannot work. I can still ping both its port (LAN and WAN), but nothing beyond. not even the 1.0 network with the modems... I'm not sure why.. and I am hoping some kind folks may shed some light on this. would appreciate this. The main vyatta router can ping through all of them though. so far, Am I doing it correctly? Another question though: without going through this testing... incoming traffic to the 2 different subnet will naturally go through their respective gateways. the question is whether the outgoing traffic will go through the correct gateway, or just the default gateway.. hence after getting advice from the good folks.. i began testing.. but something just struck me... say i don't do any of these tests. i just leave it be. so when people serve either websites (from the different subnets), the DNS resolution will naturally bring them through the different gateway and on to the appropriate subnet right? If that's the case, when the request returns to the user, will it go back by the way it came from, or via the default gateway...? My worry is that it will go through the default gateway, hence I asked about this whole test. But thinking about it.. it can go back the way it come from isn't it? Sorry about the lengthy question, networking amateur here :) Many thanks for the patience and interest! Daren ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Dual-screened subnet
You apply a firewall on an interface-basis, and whether it's inbound, outbound, or local to the router, so I think that'll do what you want (if I'm interpreting correctly). Best, Justin On Jan 22, 2008 8:58 AM, Elías Manchón López [EMAIL PROTECTED] wrote: Hi Folks!. I need set up a dual-screened subnet and I'm thinking to use vyatta on the two pc with two NIC's every one. The front firewall and the back firewall, I don`t know if this is possible with vyatta and if I will have some limitation. I think that the front router will does natting and the back router will does routing. Wha do you think about this issue?. Thanks in advance. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Unable to login, solved by reboot
As you can see, nothing jumps out in the log. A detailed search may turn up more information; otherwise, at least you've got a work-around :-) Justin On Jan 29, 2008 2:48 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Log result attached. I managed to login if I changed the passwords for my troubled users. Somethimes the encrypted-password didn't get encrypted. 2008/1/29, Justin Fletcher [EMAIL PROTECTED]: Give show log | match ERROR a try. Justin On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I have this problem again. Now i was able to login to a user account I created, but unable to view logfiles since im in xorpsh. 2008/1/28, Justin Fletcher [EMAIL PROTECTED]: Anything untoward in the log files? Justin On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Today I had a wierd experience with Vyatta. I was unable to login on any account. Did a reboot, then everything was normal. What is going on? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Managing different subnet with different gateway
Yes, eth0 and eth1 should be on different subnets; if not, the router doesn't know which interface should be used to send traffic to another device on that subnet. Best, Justin On Jan 30, 2008 7:47 AM, Daren Tay [EMAIL PROTECTED] wrote: Hi guys, I revisited the issue after getting a box to test I have set up a vyatta router with 4 ports eth0: 192.168.1.232 (WAN) - simulate gateway#1 eth1: 192.168.1.233 (WAN) - simulate gateway#2 eth2: 192.168.20.1 (LAN) - simulate LAN #1, represented by a laptop 192.168.20.2 :: to route through eth0 for gateway 192.168.1.1 eth3: 192.168.30.1 (LAN) - simulate LAN #2, represented by a laptop 192.168.30.2 :: to route through eth1 for gateway 192.168.1.2 I can't get eth3 to work somehow.. I think the laptop needs to be connected using a cross cable (using different laptops) but .20.x side is working fine. As attached is the config. I then run the ip tool on 192.168.30.0.. but i still can't route out. when i set the gateway, it routes out, but via that gateway... both 192.168.1.1 abd 1.2 and adsl modems... or should I be ensuring both eth0 and eth1 are of different subnet? below is the config i did... vyatta:~# ip route add default via 192.168.1.2 dev eth1 tab 2 vyatta:~# ip rule add from 192.168.30.0/24 tab 2 priority 600 vyatta:~# ip route list 192.168.20.0/24 dev eth2 proto kernel scope link src 192.168.20.1 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.232 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.233 192.168.30.0/24 dev eth3 proto kernel scope link src 192.168.30.1 vyatta:~# ip rule list 0: from all lookup 255 600:from 192.168.30.0/24 lookup 2 32766: from all lookup main 32767: from all lookup default = Food for thought? More testing to be done tomorrow! Thanks folks! Daren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daren Tay Sent: Tuesday, January 08, 2008 11:50 AM To: Robert Bays Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Managing different subnet with different gateway Ok roberts, will take note of that. My concern is just to ensure the 2 subnet have their traffic routed through their respective gateways as different bandwidth is purchased for them :) Thanks man! Daren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Bays Sent: Tuesday, January 08, 2008 2:59 AM To: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Managing different subnet with different gateway Daren, I would still setup a global default route in the router to handle traffic not explicitly source routed. Cheers, Robert. Daren Tay wrote: Hi guys, one more question: say I do the below mentioned way to have multi-gateway setup, but there'll still be a default gateway set in xorpsh yeah? Will this affect how traffic is routed out? Or should I just do away with the default gateway setup? Thanks! Daren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daren Tay Sent: Saturday, January 05, 2008 12:32 PM To: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Managing different subnet with different gateway Ah silly me, the obvious Thanks! Daren -Original Message- From: Robert Bays [mailto:[EMAIL PROTECTED] Sent: Saturday, January 05, 2008 7:00 AM To: Daren Tay Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Managing different subnet with different gateway Running traceroute from a system on each subnet should show you different paths. cheers. Daren Tay wrote: Cool guys :) I'm gonna give the ip rule a test when I head back to office on monday, but how do I determine that it is working? Once that is done, I'll look into the bandwidth throttling. Daren -Original Message- From: Robert Bays [mailto:[EMAIL PROTECTED] Sent: Saturday, January 05, 2008 5:17 AM To: Daren Tay Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Managing different subnet with different gateway Daren, Yep. The tool is the standard linux ip command. The ip rule from part tells the system that anything from this address should go to table n. Each table has a separate default route. XORP *shouldn't* kill these routes since they aren't in the master table. YMMV. As Aubrey correctly pointed out, you will want to add these commands to your startup files so they are added at each boot. As for tracking bandwidth, you could also poll interface stats using SNMP and rrdtool/mrtg. (ifOutOctets) Good Luck! Cheers, Robert. Daren Tay wrote: Hi guys, yeah I want to route them out different gateway. what is this ip tool you are refering to? you mean the
Re: [Vyatta-users] Unable to login, solved by reboot
Maybe . . . However, much of this has been resolved with associated changes in Glendale. Give Alpha 1 a try - I doubt you'll see it there :-) Best, Justin On Jan 30, 2008 12:43 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: But i feel that the only reason I didn't have to reboot is luck :( Maybe next time i'm unable to login with any account? 2008/1/30, Justin Fletcher [EMAIL PROTECTED]: As you can see, nothing jumps out in the log. A detailed search may turn up more information; otherwise, at least you've got a work-around :-) Justin On Jan 29, 2008 2:48 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Log result attached. I managed to login if I changed the passwords for my troubled users. Somethimes the encrypted-password didn't get encrypted. 2008/1/29, Justin Fletcher [EMAIL PROTECTED]: Give show log | match ERROR a try. Justin On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I have this problem again. Now i was able to login to a user account I created, but unable to view logfiles since im in xorpsh. 2008/1/28, Justin Fletcher [EMAIL PROTECTED]: Anything untoward in the log files? Justin On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Today I had a wierd experience with Vyatta. I was unable to login on any account. Did a reboot, then everything was normal. What is going on? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Unable to login, solved by reboot
Personally, I'd use it to take advantage of major changes and fixes, and I'm running it to access all 40 lab systems - but that's me :-) It still needs more polish, and there's a good chance you'll find things that aren't perfect (or maybe even a bug or two), and you'll have to re-enter and/or substantially modify your existing configuration. If you want to be cautious and prudent, review the bugs in the bug list, and try it on a backup system. Best, Justin On Jan 30, 2008 3:06 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: How production ready are Glendale. I'm using vyatta as router/firewall in front of a couple of servers that soon will go live... Since it's alpha, do you think I should do it? Just printed the whole manual... 2008/1/30, Justin Fletcher [EMAIL PROTECTED]: Maybe . . . However, much of this has been resolved with associated changes in Glendale. Give Alpha 1 a try - I doubt you'll see it there :-) Best, Justin On Jan 30, 2008 12:43 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: But i feel that the only reason I didn't have to reboot is luck :( Maybe next time i'm unable to login with any account? 2008/1/30, Justin Fletcher [EMAIL PROTECTED]: As you can see, nothing jumps out in the log. A detailed search may turn up more information; otherwise, at least you've got a work-around :-) Justin On Jan 29, 2008 2:48 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Log result attached. I managed to login if I changed the passwords for my troubled users. Somethimes the encrypted-password didn't get encrypted. 2008/1/29, Justin Fletcher [EMAIL PROTECTED]: Give show log | match ERROR a try. Justin On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I have this problem again. Now i was able to login to a user account I created, but unable to view logfiles since im in xorpsh. 2008/1/28, Justin Fletcher [EMAIL PROTECTED]: Anything untoward in the log files? Justin On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Today I had a wierd experience with Vyatta. I was unable to login on any account. Did a reboot, then everything was normal. What is going on? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
5. any help on the CLI regardless of level show bash options vrs th vyatta engine options. (confusing to say the least ) If you're logged in as root, you'll get Unix commands listed as well as Vyatta commands during tab completion/help. However, if you're an admin level user, you'll just see the Vyatta command set. You can still issue Unix commands; you'll just need to enter them directly. Justin ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Starting to get really frustrated... GRRR :D
Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Weird Routing problem on VC2
Personally, I'd try Alpha 1. It'll need more polishing and features to add (which is why it's an alpha) but there are major improvements with the routing protocols. Check the Glendale bug list, and see if you'd be affected by any of these first (like no GUI yet). Also note that you're existing configuration won't be preserved on ISO install which means you'll have to re-enter it, and there have been major changes to CLI syntax - even to how you configure an interface (from address prefix-length CML to address/CML). However, VPN, firewall, NAT, clustering, and serial commands should be the same, so you CAN copy an old configuration back and edit it - it's just that there will be a lot of iterations of loading the configuration to identify and adjust configuration changes. Justin On Jan 28, 2008 7:08 PM, Daren Tay [EMAIL PROTECTED] wrote: Hi Justin, embarassingly so man... haha. So there are issues with routing after link failures huh.. yep.. we are looking to upgrade to VC3 once the new box is in... but to use Alpha 1? Is it advisable? It will be for production use. I need to use the router to handle 2 different WAN connection for 2 separate NAT networks. Daren -Original Message- From: Justin Fletcher [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 29, 2008 12:18 AM To: Daren Tay Cc: Robert Bays; Vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Weird Routing problem on VC2 Glad you got that figured out - many pieces in play! Yes, there have been issues with the routing protocols with link failure; a search in the bug database will turn up a number of issues. I'd strongly suggest that you look into upgrading to VC3 and check out Glendale Alpha 1. Best, Justin On Jan 27, 2008 7:03 PM, Daren Tay [EMAIL PROTECTED] wrote: Hi all, finally resolved the 1st problem (cannot detect newly inserted web machine): end up it was a changed in config in the firewall that caused the situation... my guys changed it without informing me but still, many apologies for the false alarm. My bad. secondly though, the problem still stands. when i plug out the network cables from the router, and insert back in, everything fails.. the router will fail to route. I will need to reset the server for it to work again. For now, we are waiting for a new box to arrive before using VC2.2 and hopefully that resolves the issues, but wonder if it is a bug.. or a badly configure option somewhere? is this the arp cache you are talking about? router:~# arp Address HWtype HWaddress Flags Mask Iface gateway ip ether 00:0C:DB:2B:AB:68 C eth0 192.168.3.1 ether 00:1B:0C:30:B4:80 C eth1 Thanks for your patience guys :) Daren -Original Message- From: Robert Bays [mailto:[EMAIL PROTECTED] Sent: Monday, January 28, 2008 9:32 AM To: Daren Tay Cc: Justin Fletcher; Vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Weird Routing problem on VC2 Daren, Sounds like the router still can't find the new host. What does you arp cache say for 192.168.1.13 after you try to ping it? What does your routing table look like? cheers, robert. Daren Tay wrote: Nope, it was 'pingable' before. I can still ping the other web servers connected to it... but the newly added one I can't. Yet I am able to route out to the public network from the new box... -Original Message- From: Justin Fletcher [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 3:16 PM To: Daren Tay Cc: Vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Weird Routing problem on VC2 Does the load balancer have ICMP disabled? That'd certainly explain that, unless you were able to ping it before -- Since you have the load balancer between the router, I suspect it's a load balancer issue. You can see what's going on by running tshark/tcpdump on the interface, and see what's on the wire. If you can examine the traffic between the load balancer and the servers, you'll learn more :-) Justin On Jan 24, 2008 10:40 PM, Daren Tay [EMAIL PROTECTED] wrote: Hi guys, anyone? Thanks, Daren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daren Tay Sent: Wednesday, January 23, 2008 6:29 PM To: Vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] Weird Routing problem on VC2 Hi guys I have this queer problem. My setup with Vyatta is like this Internet --- Firewall --- Vyatta Router --- Load Balancer 03 x Web Servers | | staging server As you can see, the router seats in front of the load balancer. First... generally whenever
Re: [Vyatta-users] Firewall: block internal telnet
See the Vyatta docs at http://www.vyatta.com/documentation/index.php; there are examples in the firewall chapters. Best, Justin On Jan 29, 2008 12:17 PM, Go Wow [EMAIL PROTECTED] wrote: okay thanks for replies. People help with this please, how can I block ssh on router i.e. 192.168.10.45 using firewall, I want to give access of ssh to say only ip xxx.xxx.xxx.xxx On 30/01/2008, Beau Walker [EMAIL PROTECTED] wrote: You'll want to ask the List that. I could only answer your last question because the answer wasn't specific to Vyatta. Beau Walker - CCNA, Linux+ From: Go Wow [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 29, 2008 3:10 PM To: Beau Walker Subject: Re: [Vyatta-users] Firewall: block internal telnet Okay how can I block ssh on router i.e. 192.168.10.45 using firewall, I want to give access of ssh to say only ip xxx.xxx.xxx.xxx -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Unable to login, solved by reboot
Give show log | match ERROR a try. Justin On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I have this problem again. Now i was able to login to a user account I created, but unable to view logfiles since im in xorpsh. 2008/1/28, Justin Fletcher [EMAIL PROTECTED]: Anything untoward in the log files? Justin On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Today I had a wierd experience with Vyatta. I was unable to login on any account. Did a reboot, then everything was normal. What is going on? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] E-mail only
You'll find good firewall documentation and examples at http://www.vyatta.com/documentation/index.php. Best, Justin On Jan 27, 2008 10:38 PM, Erwin kobe Tolentino [EMAIL PROTECTED] wrote: i want to to setup my vyatta as a router and firewall i configured already the vyatta router but i want to control the internet in my LAN. i want to configure as email only!!! like OUTLOOK EXPRESS anyone can help me!! my configuration is this interfaces ethernet eth0 address 192.168.100.11 prefix-length 24 ethernet eth1 address 10.10.10.1 prefix-length 24 firewall name fwall nat rule 1 type masquerade outbound-interface eth0 protocol all firewall name fwall action accept distination network 10.10.10.0/24 Looking for last minute shopping deals? Find them fast with Yahoo! Search. Never miss a thing. Make Yahoo your homepage. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Firewall question.
You shouldn't need the out rule; until a firewall is applied, everything is accepted. However, the simple rule is protocol any action accept. That should do it if you want to be thorough :-) Justin On Jan 28, 2008 7:28 AM, Nathan McBride [EMAIL PROTECTED] wrote: Hey guys, I just installed Vyatta and have it working. (big step for me) But I'm having some trouble. I first wanted to know if I should make the firewall using Vyatta's commands or just iptables? I tried iptables and it didn't seem to work. I added a rule to allow ssh but ssh couldn'g go through. So then I made one in Vyatta. Denied ping, enabled ssh, then applied it to the wan interface. Well that killed all network traffic so looking through the manual I saw that when I applied the IN rule for the interface I guess the out rule automatically got a deny everything since I didn't apply a rule to it. So, I needed to add a related and established rule to the in for the wan interface. I did (this is from memory): set firewall name eth0-in rule 1 action accept set firewall name eth0-in rule 1 state established enable set firewall name eth0-in rule 1 state related enable Then I was going to commit this but commit gave an error saying that protocol needed to be icmp. Once I had set that it errored saying protocol needed to be tcp... I'm really confused but I need to get a firewall up. Once this is done I was going make a rule for out on the wan interface to allow everything to go out. Is there a simple rule for this? Thanks, Nate ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Does vyatta read all iptables rules ?
It'll just work the other way to translate the Vyatta CLI into iptables. It's not the other direction (but if you'd like to write a translator, I'm sure it'd be appreciated!) Justin On Jan 28, 2008 1:44 PM, Go Wow [EMAIL PROTECTED] wrote: hey I want to create a rule with iptables, I want to know if I create a rule in root shell not vyatta shell using iptables command (offcourse lol) so does vyatta reads it and adds it to its servicenat rules ? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VPN: clients to router configuration
Set up another site-to-site tunnel with the peer as 0.0.0.0; that'll allow anyone to connect that's authenticated. You'll then need to set up your clients to connect using IPsec. Justin On Jan 27, 2008 9:42 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Ok, I have a site-to-site up and runing between my Vyatta and a Netgear FVS338 VPN/Firewall box. I also have several road warriors that need access to a LAN behind the Netgear box, so I want them to connect to the Vyatta router (because it's to hard make a client connect to the netgear box). I think this is like a hub and spoke setup. I am not using Glendale. 2008/1/27, Justin Fletcher [EMAIL PROTECTED]: A few questions - are you terminating the VPN on the Vyatta router? Is it site-to-site, or are you running Glendale alpha and trying out the remote access VPN? Or is the VPN a separate system? If it's site-to-site, just set up an Openswan connection. If it's remote access, see http://stuff.pulkes.org/l2tp/ as an option. Otherwise, the Vyatta router should just forward traffic -- Best, Justin On Jan 27, 2008 7:56 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Hi all I am looking for information on how to setup my Vyatta router so clients using Linux can get access to our VPN. Any help is appreciated! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP
What are the destination addresses that are being forwarded? Broadcasts shouldn't be forwarded, but the router needs to know that they're broadcast addresses. It'll only recognize 10.1.255.255 and 10.2.255.255 as broadcast addresses. If a system is sending requests to, say, 10.1.12.255 where a system is set up as a /24, that address is recognized as a perfectly valid address and will be forwarded. Justin On Jan 22, 2008 1:01 PM, [EMAIL PROTECTED] wrote: I've set up a very basic router with only two interfaces: eth0 is my 10.1.0.0 subnet and eth1 is my 10.2.0.0 subnet. The router's default gateway is my Internet router. The subnets are in different buildings on our campus connected via a wireless link. I use them mainly in conjunction with Windows Server 2003 sites to control replication of the of the Active Directory and the Distributed File System set up for user home folders. Internet access, internal routing between my two subnets, and replication of the AD and DFS work fine. My problem is that dhcp request broadcasts are being forwarded to the 10.2.0.0 subnet from the 10.1.0.0 subnet. Each subnet has its own dhcp server (implemented on 2003 machines not the router). Hosts that should receive 10.1.x.x addresses are receiving 10.2.x.x addresses. dhcp forwarding is not configured on the router. My understanding from the documentation is that the router should automatically block broadcasts. I would appreciate any help in discovering what I'm missing. Below is my configuration. Thanks, Robert protocols { } policy { } interfaces { restore: false loopback lo { description: } ethernet eth0 { disable: false discard: false description: hw-id: 00:d0:b7:92:50:b7 duplex: auto speed: auto address 10.1.0.253 { prefix-length: 16 disable: false } } ethernet eth1 { disable: false discard: false description: hw-id: 00:d0:b7:92:9a:ab duplex: auto speed: auto address 10.2.0.1 { prefix-length: 16 disable: false } } } service { webgui { http-port: 80 https-port: 443 } } firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable } system { host-name: HSRouter domain-name: name-server 206.54.112.1 time-zone: Denver ntp-server 69.59.150.135 gateway-address: 10.1.0.254 login { user root { full-name: authentication { encrypted-password: $1$$Ht7gBYnxI1xCdO/JOnodh. } } user vyatta { full-name: authentication { encrypted-password: $1$$Ht7gBYnxI1xCdO/JOnodh. } } } package { auto-sync: 1 repository community { component: main url: http://archive.vyatta.com/vyatta; } } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Emergency Config paste? How do you prepare?
There are a couple of choices. You can copy your configuration using scp (it's /opt/vyatta/etc/config/config.boot) to another server. From a blank slate/system, all you need to do is to configure an interface and a default gateway, scp the configuration back, and load the restored configuration. You can also use ZipTie for configuration management; see http://www.ziptie.org. Justin On Jan 18, 2008 10:07 AM, [EMAIL PROTECTED] wrote: All, Coming from a Cisco world, I could copy the config file to a tftp server and once I have 1 interface open-- I could essentially paste in everything on a blank router(or com port). This is helpful when I had to replace a failing router with a backup one mid-day. How would I do the same with Vyatta? I was thinking if I could SCP the config file and make it the config.boot file, I could just do a reboot and it would all come back? Perhaps I'm a little confused on essentially doing a big 'paste' of all the configs, particularly the firewall rules. If anyone else has some good backup strategies on vyatta router configs, please share-- I'm a little new at this one. Thanks in advance, Aaron ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] RFC 1918 Private IP addresses
You'll want to create a firewall rule. By default, a router just forwards the traffic it's sent (assuming it can find a route to use for forwarding . . .) Best, Justin On Jan 17, 2008 11:39 AM, Ben Speckien [EMAIL PROTECTED] wrote: I am using Vyatta as a gateway to the internet and have noticed that it passes un-NATed private addresses out the public interface. Is there a way to turn this feature off or should I make a firewall rule? Thanks, Ben ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Waiting for xorp_rtrmgr...
You'll also want to edit /etc/syslog.conf and change *.warning to *.* to record all log messages; otherwise, lower-level messages will be discared You can check startup by hand by running /etc/init.d/vyatta-rtrmgr start which will save you the physical reboot -- Justin On Jan 17, 2008 12:54 PM, Marat Nepomnyashy [EMAIL PROTECTED] wrote: Hi Shane, Most likely the rtrmgr did not start. The best log file to check when that happens is '/var/log/messages'. Which Vyatta version are you using? Thanks, Marat - Original Message - From: Shane McKinley [EMAIL PROTECTED] To: vyatta-users@mailman.vyatta.com Sent: Thursday, January 17, 2008 12:51 PM Subject: [Vyatta-users] Waiting for xorp_rtrmgr... After entering some static routes and changing some subnetting around I rebooted. Now the rtrmgr won't start -- the commit took fine before I rebooted. Is there a way I can pull the proper error messages to troubleshoot this problem? What log files would be best to look at? Any more ideas on why this would happen? I really am dedicated to getting this router into production, but the odds seem against me this round. Thanks, Shane McKinley Habersham EMC Tel: 706-839-4130 Cel: 706-968-3186 ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Waiting for xorp_rtrmgr...
Are they all assigned to a system that's on a network that's directly connected to the router? On Jan 17, 2008 3:59 PM, Shane McKinley [EMAIL PROTECTED] wrote: None of these next-hop addresses are assigned to an interface on the router. Shane -Original Message- From: Justin Fletcher [mailto:[EMAIL PROTECTED] Sent: Thu 1/17/2008 6:46 PM To: Shane McKinley Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Waiting for xorp_rtrmgr... Are the next hops directly connected? There was an issue with recursive route lookup -- On Jan 17, 2008 2:56 PM, Shane McKinley [EMAIL PROTECTED] wrote: I have found the static routes causing the issue: route XZ.85.142.64/26 { next-hop: XX.128.129.18 metric: 1 } route XX.128.136.216/29 { next-hop: XZ.85.140.254 metric: 1 } route XX.128.140.16/29 { next-hop: XX.128.140.26 metric: 1 } Now, the question is why? How can I dig further to find out why these are causing the rtrmgr to crash? Shane McKinley Habersham EMC -Original Message- From: Dave Roberts [mailto:[EMAIL PROTECTED] Sent: Thursday, January 17, 2008 5:16 PM To: Shane McKinley; vyatta-users@mailman.vyatta.com Subject: RE: [Vyatta-users] Waiting for xorp_rtrmgr... (SIDE NOTE: (No offense meant) Why should changing interface notations and static routes cause anything to crash?) It shouldn't. That's one of the big things we're fixing in Glendale. The Routermanager process did not handle errors well at all. It has been eliminated entirely in Glendale. -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Waiting for xorp_rtrmgr...
Are the next hops directly connected? There was an issue with recursive route lookup -- On Jan 17, 2008 2:56 PM, Shane McKinley [EMAIL PROTECTED] wrote: I have found the static routes causing the issue: route XZ.85.142.64/26 { next-hop: XX.128.129.18 metric: 1 } route XX.128.136.216/29 { next-hop: XZ.85.140.254 metric: 1 } route XX.128.140.16/29 { next-hop: XX.128.140.26 metric: 1 } Now, the question is why? How can I dig further to find out why these are causing the rtrmgr to crash? Shane McKinley Habersham EMC -Original Message- From: Dave Roberts [mailto:[EMAIL PROTECTED] Sent: Thursday, January 17, 2008 5:16 PM To: Shane McKinley; vyatta-users@mailman.vyatta.com Subject: RE: [Vyatta-users] Waiting for xorp_rtrmgr... (SIDE NOTE: (No offense meant) Why should changing interface notations and static routes cause anything to crash?) It shouldn't. That's one of the big things we're fixing in Glendale. The Routermanager process did not handle errors well at all. It has been eliminated entirely in Glendale. -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] vmware server and live CD
Can you provide just a bit more information? Justin On Jan 17, 2008 4:41 PM, Rick Mitchell [EMAIL PROTECTED] wrote: I cannot get the live cd to successfully boot up it tries to but fails any suggestions -- Rick Mitchell ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Waiting for xorp_rtrmgr...
I think you've hit bug 2390: RIB: xorp_rib crashed after a static route with a nextop through an unxisted interface or a route being configured and committed See https://bugzilla.vyatta.com/show_bug.cgi?id=2390 ; it's fixed in the supported version. Best, Justin On Jan 17, 2008 5:19 PM, Shane McKinley [EMAIL PROTECTED] wrote: #1 - No, but I do have a static interface-route with XX.128.128.0/20 - the actual interface is XX.128.128.0/24 -- the reason I have this is for proper BGP exporting #2 - Invalid, my mistake #3 - Dido to #1 My interface-routes are last on my static routes list in the config -- could this be the issue? -Shane Are they all assigned to a system that's on a network that's directly connected to the router? On Jan 17, 2008 3:59 PM, Shane McKinley [EMAIL PROTECTED] wrote: None of these next-hop addresses are assigned to an interface on the router. Shane -Original Message- From: Justin Fletcher [mailto:[EMAIL PROTECTED] Sent: Thu 1/17/2008 6:46 PM To: Shane McKinley Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Waiting for xorp_rtrmgr... Are the next hops directly connected? There was an issue with recursive route lookup -- On Jan 17, 2008 2:56 PM, Shane McKinley [EMAIL PROTECTED] wrote: I have found the static routes causing the issue: route XZ.85.142.64/26 { next-hop: XX.128.129.18 metric: 1 } route XX.128.136.216/29 { next-hop: XZ.85.140.254 metric: 1 } route XX.128.140.16/29 { next-hop: XX.128.140.26 metric: 1 } Now, the question is why? How can I dig further to find out why these are causing the rtrmgr to crash? Shane McKinley Habersham EMC -Original Message- From: Dave Roberts [mailto:[EMAIL PROTECTED] Sent: Thursday, January 17, 2008 5:16 PM To: Shane McKinley; vyatta-users@mailman.vyatta.com Subject: RE: [Vyatta-users] Waiting for xorp_rtrmgr... (SIDE NOTE: (No offense meant) Why should changing interface notations and static routes cause anything to crash?) It shouldn't. That's one of the big things we're fixing in Glendale. The Routermanager process did not handle errors well at all. It has been eliminated entirely in Glendale. -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Network ports Compatibility issue for Vyatta? to install in production box for router use
No, no known issues the the cards, and six ports should be fine. I've got that many ports in production :-) Justin On Jan 10, 2008 2:22 AM, Daren Tay [EMAIL PROTECTED] wrote: Hi guys, just wanna check if there's any known issues for the following network cards with Vyatta: Intel PRO/1000 PT dual-port gigabit ethernet PCIe x4 card. I am planning to install 2 of that in the server (Dell PowerEdge) to get a 6 port setup. Also, is it ok I install so many? I am planning to use Vyatta as a production router for our new infrastructure... all the way man. Planning to get a simple Dell PowerEdge and pump it with adequate network ports to handle 2 different subnets and firewall. What do you guys think? Thanks! Daren ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Disable forwarding of broadcast directed packets
It's disabled, and the current best practices have had it set this way for quite a while. See ftp://ftp.rfc-editor.org/in-notes/rfc2644.txt if you really want the details :-) Best, Justin On Jan 10, 2008 1:27 PM, Shane McKinley [EMAIL PROTECTED] wrote: Is broadcast forwarding disabled by default on Vyatta? If not, is there a way I can disable forwarding of broadcast packets on my Vyatta v3 router? Thanks, Shane McKinley Habersham EMC ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Fwd: A question on exporting connected routes intoOSPF
And, of course, routes you add outside of the CLI aren't known to XORP. If you add the route using protocol static you can then redistribute via OSPF. Justin On Jan 8, 2008 11:57 AM, Jonathon Exley [EMAIL PROTECTED] wrote: I have also had problems exporting connected routes into OSPF. Try adding static routes into the export policy: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] show configuration policy policy-statement ExportCon term 10 { from { protocol: connected } then { action: accept } } term 20 { from { protocol: static } then { action: accept } } This seemed to allow the connected interfaces into the OSPF database, although they were tagged with ASExt-2: [EMAIL PROTECTED] show ospf4 database OSPF link state database, Area 0.0.0.0 Type ID Adv Rtr Seq Age Opt Cksum Len ASExt-2 *192.168.2.0 192.168.101.10x8001 790 0x2 0x4354 36 Jonathon ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Commit Error
When all else fails, reboot the router when you can try again. Best, Justin On Jan 4, 2008 7:51 PM, Clint Chapman [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] configure Entering configuration mode. User vyatta is also in configuration mode. [EMAIL PROTECTED] set protocols bgp [edit] [EMAIL PROTECTED] set protocols bgp bgp-id 216.6.235.1 [edit] [EMAIL PROTECTED] set protocols bgp local-as 15003 [edit] [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 [edit] [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 local-ip 72.37.132.238 [edit] [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 as 25973 [edit] [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 next-hop 72.37.132.238 [edit] [EMAIL PROTECTED] set protocols bgp peer 72.37.132.237 disable- readvertisements true [edit] [EMAIL PROTECTED] commit [edit] Commit Failed 102 Command failed [EMAIL PROTECTED] Jan 5 11:59:45 localhost xorp_bgp: [ 2008/01/05 11:59:45 WARNING xorp_bgp:6490 BGP +1054 /home/autobuild/builds/OFR/2007-11-17-0001/ofr/ xorp/xorp/bgp/bgp.cc create_peer ] This peer already exists: {72.37.132.238(179) 72.37.132.237(179)} AS/25973 Jan 5 11:59:45 localhost xorp_bgp: [ 2008/01/05 11:59:45 WARNING xorp_bgp:6490 XrlBgpTarget +552 xrl/targets/bgp_base.cc handle_bgp_0_2_add_peer ] Handling method for bgp/0.2/add_peer failed: XrlCmdError 102 Command failed Jan 5 11:59:45 localhost xorp_rtrmgr: [ 2008/01/05 11:59:45 ERROR xorp_rtrmgr:4658 RTRMGR +701 /home/autobuild/builds/OFR/ 2007-11-17-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc commit_pass2_done ] Commit failed: 102 Command failed Not sure how it's already there. On Jan 4, 2008, at 9:33 PM, John Jolet wrote: how about the line that says this peer already existsdelete the peer then re-add it. Clint Chapman wrote: Jan 5 10:18:38 localhost xorp_bgp: [ 2008/01/05 10:18:38 WARNING xorp_bgp:6490 BGP +1054 /home/autobuild/builds/OFR/2007-11-17-0001/ ofr/ xorp/xorp/bgp/bgp.cc create_peer ] This peer already exists: {72.37.132.238(179) 72.37.132.237(179)} AS/25973 Jan 5 10:18:38 localhost xorp_bgp: [ 2008/01/05 10:18:38 WARNING xorp_bgp:6490 XrlBgpTarget +552 xrl/targets/bgp_base.cc handle_bgp_0_2_add_peer ] Handling method for bgp/0.2/add_peer failed: XrlCmdError 102 Command failed Jan 5 10:18:38 localhost xorp_rtrmgr: [ 2008/01/05 10:18:38 ERROR xorp_rtrmgr:4658 RTRMGR +701 /home/autobuild/builds/OFR/ 2007-11-17-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc commit_pass2_done ] Commit failed: 102 Command failed Jan 5 10:25:58 localhost xorp_bgp: [ 2008/01/05 10:25:58 WARNING xorp_bgp:6490 BGP +1054 /home/autobuild/builds/OFR/2007-11-17-0001/ ofr/ xorp/xorp/bgp/bgp.cc create_peer ] This peer already exists: {72.37.132.238(179) 72.37.132.237(179)} AS/25973 Jan 5 10:25:58 localhost xorp_bgp: [ 2008/01/05 10:25:58 WARNING xorp_bgp:6490 XrlBgpTarget +552 xrl/targets/bgp_base.cc handle_bgp_0_2_add_peer ] Handling method for bgp/0.2/add_peer failed: XrlCmdError 102 Command failed Jan 5 10:25:58 localhost xorp_rtrmgr: [ 2008/01/05 10:25:58 ERROR xorp_rtrmgr:4658 RTRMGR +701 /home/autobuild/builds/OFR/ 2007-11-17-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc commit_pass2_done ] Commit failed: 102 Command failed See anything there? On Jan 4, 2008, at 8:47 PM, Stig Thormodsrud wrote: Check /var/log/messages (or show log) for further error messages. stig -Original Message- From: [EMAIL PROTECTED] [mailto:vyatta-users- [EMAIL PROTECTED] On Behalf Of Clint Chapman Sent: Friday, January 04, 2008 6:38 PM To: [EMAIL PROTECTED] Subject: [Vyatta-users] Commit Error [EMAIL PROTECTED] show protocols bgp { bgp-id: removeIP local-as: my as number peer 72.*.*.* { (ISP side of the /30) local-ip: 72.37.132.238 (My side of the /30) as: 25973 next-hop: 72.37.132.238 (My side of the /30) disable-readvertisements: true } } static { route 0.0.0.0/0 { next-hop: 72.*.*.* } } [edit] [EMAIL PROTECTED] commit [edit] Commit Failed 102 Command failed [EMAIL PROTECTED] Why am I getting that error, I don't think I have anything to complex in there. Thanks! CLint ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com
Re: [Vyatta-users] router on the stick
On Jan 2, 2008 12:18 AM, Vects [EMAIL PROTECTED] wrote: Hello there, Does vyatta support router on the stick configuration? I want to deploy it in web hosting environment when every customer has the own vlan. Is there any known problem with firewall in such a configuration? Thanks, Alexc No issues that I know of; should be just fine for what you need :-) Best, Justin ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] jdocs anything like this for vyatta
Not sure what like this means, but there's full documentation available at vyatta.com, and on-line CLI help; just use the '?' key. Best, Justin On Jan 2, 2008 2:55 PM, Ken Felix (C) [EMAIL PROTECTED] wrote: Do we have any future support for something similar in vyatta? Cli online help. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] happy with NAT. should I firewall also?
Depends on what you're looking for (of course :-) ) Since you're under NAT, nothing can find your system that you don't have set up for forwarding. You could set up firewall rules for the public address of your router, as it's wide-open otherwise, of course. A happy 2008 to you, Justin On Jan 1, 2008 6:40 PM, Alain Kelder [EMAIL PROTECTED] wrote: Hello, At my home office, I have 1 public IP and I'm forwarding certain outside port requests to the various machines inside using NAT. I'm allowing all inside-out traffic. Given that I'm happy with this setup from the functionality perspective, should I still add firewall rules to define my current setup (e.g. to allow all inside-out traffic and to allow http, smtp, etc to the various machines for outside-in traffic)? Am I missing out on important security features the firewall would offer which NAT doesn't? Currently I just have the following firewall statements: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable } [EMAIL PROTECTED] show version Baseline Version: vc3 Booted From: disk Happy New Year to all! Cheers, -Alain. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] I want to configure 2 ISPs on Vyatta Server
Do you have any specific questions after reviewing the documentation at www.vyatta.com ? Best, Justin On Dec 23, 2007 10:10 PM, Amit Srivastava [EMAIL PROTECTED] wrote: Hi, I want to configure 2 ISPs on my Vyatta server, How can i configure it ? Someone can help me? -- Regards -- Amit Shrivastava Linux Engineer Tetra Information Services Pvt. Ltd. 136 Ground Floor, Sant Nagar, East of Kailash, New Delhi - 110065, India. Email : [EMAIL PROTECTED] Website : www.tetrain.com, www.linux4e.com Phone : 91-11-66604033, 91-11-66604034, 91-11-66604035 Mobile : 91-060913 Fax : 91-11-26225293 ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] setting up at home
If you haven't, you'll need to: Set up the internal address of the Vyatta router as the default gateway provided by DHCP Set up NAT so the private internal addresses are translated to your static IP from your provider Best, Justin On Dec 22, 2007 4:09 AM, Abhishek Jain [EMAIL PROTECTED] wrote: Hi All I am trying to install the community edition at home. I have a static ip from my dsl provider. On one of the interfaces I have configured and internal ip address and have setup the dhcp server which is working fine and my other machines are able to get the ip from dhcp. On another interface I have configured the static ip from my provider. I am able to ping www.google.com from the vyatta web gui but not from one of the machines in the internal network. Please any help!!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Question about OSPF syslog events
Try lowering your syslog level to debug; the messages from OSPF are likely filtered. Best, Justin Fletcher On Dec 21, 2007 6:56 AM, Adair, Nick [EMAIL PROTECTED] wrote: Hi All, This is my configuration for syslog logging, right now we have everything turned on and going to our syslog host. The problem is we are not seeing OSPF notifications, I'm not sure what we are missing. We looked in the manuals (what a concept) and found the section Sending OSPF messages to Syslog and did what it indicated but it does not seem to send OSPF info, we do see syslog messages when logrotated runs, ssh logins, etc. We want to know when a neighbor changes. Any help would be greatly appreciated. 1 protocols { 2 ospf4 { 3 router-id: 192.168.4.2 4 rfc1583-compatibility: false 5 ip-router-alert: false 6 traceoptions { 7 flag { 8 all { 9 disable: false 10 } 11 } 12 } 13 area 0.0.0.0 { 14 area-type: normal 15 interface eth0 { 16 link-type: broadcast 17 address 192.168.3.4 { 18 priority: 128 19 hello-interval: 10 20 router-dead-interval: 40 21 interface-cost: 1 22 retransmit-interval: 5 23 transit-delay: 1 24 passive: false 25 disable: false 26 } 27 } 28 interface eth1 { 29 link-type: broadcast 30 address 192.168.4.253 { 31 priority: 128 32 hello-interval: 10 33 router-dead-interval: 40 34 interface-cost: 1 35 retransmit-interval: 5 36 transit-delay: 1 37 passive: false 38 disable: false 39 } 40 } 41 } 42 } 43 snmp { 44 community pilot { 45 client 192.168.100.104 46 client 192.168.100.105 47 authorization: rw 48 } 49 contact: 50 description: 51 location: 52 } 53 } 54 policy { 55 } 56 interfaces { 57 restore: false 58 loopback lo { 59 description: 60 address 192.168.4.2 { 61 prefix-length: 32 62 disable: false 63 } 64 } 65 ethernet eth0 { 66 disable: false 67 discard: false 68 description: Uplink to RTR Cloud 69 hw-id: 00:50:56:85:72:6f 70 duplex: auto 71 speed: auto 72 address 192.168.3.4 { 73 prefix-length: 24 74 disable: false 75 } 76 } 77 ethernet eth1 { 78 disable: false 79 discard: false 80 description: Connectivity to Access Switch 81 hw-id: 00:50:56:85:1e:3c 82 duplex: auto 83 speed: auto 84 address 192.168.4.253 { 85 prefix-length: 24 86 disable: false 87 } 88 } 89 } ... snip 122 system { 123 host-name: vy-rtr-access 124 domain-name: pilot-bmc.com 125 domain-search { 126 domain calbro.ase 127 } 128 name-server 192.168.100.100 129 time-zone: GMT 130 ntp-server 69.59.150.135 131 static-host-mapping { 132 host-name vy-rtr-access { 133 inet: 192.168.4.2 134 } 135 } ... snip 150 syslog { 151 host 192.168.3.110 { 152 facility * { 153 level: info 154 } 155 } 156 } ... 164 } Nick ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VRRP Release Timeframe?
Yes, it's based on heartbeat, and it should allow you to specify any init.d process as a service. However, not all are fully integrated with the router manager, so you may run into issues. Best, Justin On Dec 18, 2007 2:01 PM, Ken Price [EMAIL PROTECTED] wrote: Sanjoy, Thank you for your response. It looks like the Clustering feature may just be the ticket. I'll do some testing and give it a shot. Is clustering based on Heartbeat? Can I specify any /etc/init.d processes as a service? That would allow me to potentially integrate QoS scripts, or IDS components (Snort/OSSEC) as well. -Ken You may also want to take a look at the Clustering feature on VC3, though it currently supports one backup node. I'll defer to expert users who may comment on potential conflicts on getting keepalived working outside the scope of the Vyatta CLI. Share with us any tips or tricks if you have success doing so. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VPN under NAT
If they are both in private address space, the issue is whether the two know how to communicate with each other, as private address space isn't routeable -- Best, Justin On Dec 18, 2007 5:36 PM, Marco De Sortis [EMAIL PROTECTED] wrote: How to configure a VPN IPsec between 2 vyatta router both under NAT? A test a lot but seem to function only when al least one vyatta in over Internet (not under NAT)... no luck whith both under NAT. This function: vyattaVPN1 internet -NAT - vyattaVNP2 This NOT function: vyattaVPN1 - NAT internet -NAT - vyattaVNP2 Someone can help me please? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Advises on configuring BGP
It's hard to tell without the full configuration, but remember that you need both a route out, as well as the rest of the internet needs to be able to find their way back to you. You can check to see if you're reachable using an external traceroute; see www.traceroute.org to check and see if you're reachable. Best, Justin On Dec 17, 2007 2:05 AM, Poh Yong Hwang [EMAIL PROTECTED] wrote: Hi, I have managed to setup the BGP session with my peer and also based on the topic on Originating a Route to eBGP neighbors to announce my IP ranges. I have set my eth1 ip to be XX.XX.XX.1/21 and connect one server directly to eth1 for testing. Setting XX.XX.XX.2 with subnet of 255.255.248.0 and XX.XX.XX.1 for default gateway on the server itself, I cannot go out of the internet (Cannot surf net using that server). Eth0 is link with the UTP cable provided by upstream for peering Is this the correct way to set it up? Please advise Thanks Regards Yongsan On Dec 14, 2007 12:24 PM, Poh Yong Hwang [EMAIL PROTECTED] wrote: Hi, I have read the docs that was available but still have a few questions in mind. I have a UTP cable that was provided by the provider that I would like to peer with so I have plug it into my eth0. So what IP address should I set on my eth0? Where can I set the IP range XX.XX.XX.XX/21 that I want to announce? Please advise. Thanks! Yongsan On Dec 12, 2007 12:03 AM, Justin Fletcher [EMAIL PROTECTED] wrote: Certainly; there's documentation with examples from http://www.vyatta.com/documentation/index.php or http://www.vyatta.com/twiki/bin/view/Community/DocumentationSet. Best, Justin On Dec 10, 2007 8:18 PM, Poh Yong Hwang [EMAIL PROTECTED] wrote: Hi, Thanks! I am a noob in setting up BGP and we have the following info from our upstream provider Upstream Router Server IP Address Customer Primary Interface Address Upstream Secondary Router Server IP Address Customer Secondary Interface Address Plus my ASN number as well as my IP range XX.XX.XX.XX/21 So is all these information be enough to configure it? Is there any examples I can follow? Thanks! Yongsan On Dec 11, 2007 11:33 AM, Justin Fletcher [EMAIL PROTECTED] wrote: Well, yes - Vyatta has full BGP support, so you'll be able to peer with your provider. Best, Justin On Dec 10, 2007 7:26 PM, Poh Yong Hwang [EMAIL PROTECTED] wrote: Hi, New here and to Vynatta and hope to get advises on getting this up. I wish to setup a BGP router for our current setup (We have got our ASN number, IP range) and we will peer with our upstream provider for MLPA. Just some simple BGP routes for testing purposes. So just wondering if Vynatta is able to do that? Thanks! Yongsan ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] I broke all logging-- need help to restore it
The default is minimal: charon:~# cat /etc/syslog.conf *.warning /var/log/messages And by default, there's no syslog configuration in the Vyatta configuration file. Best, Justin On Dec 17, 2007 3:33 PM, [EMAIL PROTECTED] wrote: All, In my attempts to log firewall traffic (what I block and log) to another file or syslog server, I have apparently failed and stopped all firewall logging attempts. The router/firewall is still working properly, but now instead of having to dig through the messages file for just firewall entries (grepping), I get nothing. In fact, my /var/log/messages doesn't contain any entries at all now. Could someone post the default the syslog.conf file and whatever I need to specify on the acutal vyatta configuration for the defaults? I'd like to get back to where I was in logging. Thanks a lot, Aaron ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VRRP Confusion
Ah, yes - you can't actually change the MAC on some hardware, so you end up in this confused state and only see packets destined for the interface in promiscuous mode (hence the suggestion to disable the virtual MAC . . .) Justin On Dec 13, 2007 12:29 PM, Allan Leinwand [EMAIL PROTECTED] wrote: A thought here that may help cut through some of the confusion. I think that when you run tcpdump on the interface it places that interface into promiscuous mode. When in this mode, it can respond to pings to both the real IP address on the Ethernet and the virtual IP address (all packets are being received by the interface so when it sees one for it's own IP addresses, it responds). However, when the interface is running VRRP and in non-promiscuous mode I am unsure if the real IP and the virtual IP both respond to pings. Final caveat: I have not tried any of this recently, so with my advice YMMV. Thanks, allan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stig Thormodsrud Sent: Thursday, December 13, 2007 12:23 PM To: 'Daniel Stickney'; vyatta-users@mailman.vyatta.com; 'Daniel Stickney'; vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] VRRP Confusion I wonder if this might be solved with the disable-vmac setting? stig -Original Message- From: [EMAIL PROTECTED] [mailto:vyatta-users- [EMAIL PROTECTED] On Behalf Of Daniel Stickney Sent: Wednesday, December 12, 2007 2:47 PM To: vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] VRRP Confusion Hello everyone, I used google to search the mail list archive, but didn't get any results for my issue. This is my second day working on the problem and my colleagues don't have any suggestions. This post is a little long, but I hope thorough enough to give all relevant information. Here is my setup: vyatta01 - eth0:192.168.2.50, eth1:192.168.10.3 vyatta02 - eth0:192.168.2.51, eth1:192.168.10.2 laptop01 - eth0:192.168.10.11 Laptop01 is connected to a switch, which also has cables from eth1 on both vyatta01 and vyatta02 connected. Eth0 on both vyatta01 and vyatta02 are connected into the main 192.168.2.0/24 network which has internet connectivity. With a base configuration of a default route to 192.168.2.21 on both vyatta01 and vyatta02, and the above IPs assigned to their respective network cards, I can ping 192.168.10.2 and 192.168.10.3 from laptop01; and I can ping 192.168.10.2 from vyatta01, and I can ping 192.168.10.3 from vyatta02. Basically, everything can ping everything. I then proceed to setup VRRP between vyatta01 and vyatta02 with the following config: --Vyatta02-- set interfaces ethernet eth1 vrrp vrrp-group 10 set interfaces ethernet eth1 vrrp virtual-address 192.168.10.1 set interfaces ethernet eth1 vrrp preempt true set interfaces ethernet eth1 vrrp priority 150 commit --Vyatta01-- set interfaces ethernet eth1 vrrp vrrp-group 10 set interfaces ethernet eth1 vrrp virtual-address 192.168.10.1 set interfaces ethernet eth1 vrrp preempt true set interfaces ethernet eth1 vrrp priority 20 commit So vyatta02 is the master, VIP is 192.168.10.1. Immediately, and as expected, I see in the output of show vrrp that vyatta02 considers itself the master, and vyatta01 sees itself as the backup. In a tcpdump from laptop01 I can see the VRRPv2 advertisements from vyatta02 every second. At this time from laptop01 I am unable to ping 192.168.10.1 or 192.168.10.2, but I can ping 192.168.10.3. The arp table on laptop01 shows the following: # arp -n Address HWtype HWaddress Flags MaskIface 192.168.10.3 ether 00:1A:A0:2A:04:0A C eth0 192.168.10.1 ether 00:00:5E:00:01:0A C eth0 192.168.10.2 ether 00:00:5E:00:01:0A C eth0 From vyatta01, I am also unable to ping 192.168.10.1 and 192.168.10.2. What is causing me great confusion is if on vyatta02 I login as root and execute a tcpdump -i eth1, instantly my pings from laptop01 and vyatta01 to both 192.168.10.1 and 192.168.10.2 start getting responses. As soon as I ctrl-c the tcpdump on vyatta02, the ping responses stop again. If I reconfigure the VRRP priority of vyatta02 to be lower than vyatta01, they change over to vyatta01 being the master, and vyatta02 as the backup. At this time from laptop01 I am able to ping 192.168.10.1, 192.168.10.2 and 192.168.10.3. In a tcpdump on laptop01 I see the VRRP advertisements coming from 192.168.10.3 as expected. The arp table on laptop01 now looks like this: # arp -n Address HWtype HWaddress Flags MaskIface 192.168.10.3 ether 00:00:5E:00:01:0A C eth0 192.168.10.1 ether 00:00:5E:00:01:0A C eth0
Re: [Vyatta-users] IPsec and VRRP problem
Ah, piffle - looks like that bug was fixed after VC3 was released. You need to correct /opt/vyatta/sbin/vpn-config.pl .You can get the corrected version from http://suva.vyatta.com/git/?p=ofr.git;a=blob_plain;f=cli/scripts/vpn/vpn-config.pl;hb=HEAD or you can just comment out the check, if you're comfortable with perl. Best, Justin On 12/12/07, Senad Uka [EMAIL PROTECTED] wrote: Now we have found the right one and again we have the same problem. I configured the router EXACTLY as it is written in the manual, clustering chapter :) But still, even if the cluster is up and running and I can ping the cluster ip adresses it doesn't let me set local ip on the ipsec peer configuration to the cluster ip address complaining that ip address is not address of the interface or cluster address ... I have attached the configuration of the first router Currently i set the local-ip to the pysical interface's ip so i can commit and save the config ... also i didn't setup the second monitor node but as I understand, that should not be the problem. Configuration of second router is identical with respective interface ip addresses changed (and has the same problem with local-ip) ... On Dec 11, 2007 5:25 PM, Justin Fletcher [EMAIL PROTECTED] wrote: Certainly. Let me know if you need more information (though there's a new clustering chapter in the documentation for this :-) ) Best, Justin On Dec 11, 2007 8:22 AM, Senad Uka [EMAIL PROTECTED] wrote: Thank you for the quick answer. On Dec 11, 2007 5:11 PM, Justin Fletcher [EMAIL PROTECTED] wrote: It is; clustering support was added recently exactly for scenarios such as this. You'll need to set up WEST and WEST backup as cluster members, define the IP addresses, and set up IPSec as the failover service. This will actually be using clustering instead of VRRP for your virtual address failover. Best, Justin On Dec 11, 2007 6:28 AM, Senad Uka [EMAIL PROTECTED] wrote: Hello. I am trying to setup a network similar to the one in the configuration manual under pre-shared key IPSEC VPN settings section, but adding a VRRP backup router to the router named WEST in the manual (page 231). | SERVER | 192.168.40.7/24 | | * (virtual IP: 192.168.40.20) / \ / \ / \ 192.168.40.6/24 192.168.40.5/24 | WEST | | WEST backup | 192.0.2.2/26 192.168.0.2.3/26 \/ \ / \ / \ / * (virtual IP: 192.0.2.1) | | | 192.0.2.33/26 | EAST | 192.168.60.8/24 | | 192.168.60.7/24 | CLIENT | Client communicates with server through IPSEC tunnel between EAST and WEST routers. IF the WEST router goes down WEST backup should take over. I have setup the routers according to manual and it worked. When I setup VRRP on the WEST, and set the ipsec peer on the EAST to the virtual IP - the tunnel cannot be established. From the debug data for the ipsec I can see that the EAST is expecting a tunnel 192.68.60/24===192.0.2.33...192.0.2.1===192.168.40.0/24 , while the WEST doesn't use it's virtual address and expects 192.168.40.0/24 ===192.0.2.2...192.0.2.33===192.68.60/24 so it cannot finish the phase 2 negotiation ... In order to solve it, I tried to setup the local-ip in ipsec configuration on the WEST side to virtual IP address (192.0.2.1) but i cannot commit the changes since vyatta does not recognize it as address of an interface (Message: Local IP specified for peer 192.0.2.33 has not been configured in any of the ipsec interfaces or clustering.) Is my requested behaviour even possible to achieve? Am I missing something ? -- LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN -- LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Restricting traffic between networks
While obvious, make certain that the computers on the 10.20.0.0/24 have the Vyatta router as their default gateway -- Justin On Dec 10, 2007 12:39 PM, Lance Franklin [EMAIL PROTECTED] wrote: After reading some of the recent posts and configuring only one interface, I have gotten this to work. With the below configuration, I can remote desktop from the 10.10.0.0/24 network to computers on the 10.20.0.0/24 network. The computers on the 10.20.0.0/24 network cannot get to any other network. I may go back and add a firewall rule to the 10.20.0.0/24 interface and only allow established comunication into the router. ethernet eth0 { disable: false discard: false description: Production Network hw-id: 00:0e:0c:b8:4d:12 duplex: auto speed: auto address 10.10.0.199 { prefix-length: 24 disable: false } firewall { in { name: Prod2Dev } } } firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name Prod2Dev { description: Production to Development rule 1 { description: Remote Desktop protocol: tcp action: accept log: enable source { network: 10.10.0.0/24 } destination { network: 10.20.0.0/24 port-number 3389 } } } Quoting Justin Fletcher [EMAIL PROTECTED]: You also need to apply the firewall rules to an interface, as in firewall { in { name: inbound } local { name: inbound } } In the above case, it's for inbound traffic, and traffic destined for the router itself. Also remember that traffic will flow in both directions, unless you just want to block the inbound traffic from the development network. Your current rule 4 prevents new connections - as well as everything else ;-) Looks like your rules 1-3 should have the matching source and destination networks as rule 4; otherwise, that inbound traffic will only match rule 4, and not match one of the earlier rules for permitted traffic. Best, Justin You can do a show firewall to see the rules on the system, as well as enable logging for a rule to see where the traffic is being dropped. Justin On Dec 6, 2007 3:42 PM, Lance Franklin [EMAIL PROTECTED] wrote: After reading through the Quick Guide to Configuration Statements, I see: state { established: [enable|disable] new: [enable|disable] related: [enable|disable] invalid: [enable|disable] } How can I add this to my rule 4 to prevent new connections to the work network from the development network? Would it be: rule 4 { description: 10.10.0.0/24 protocol: all state { new: enable } action: drop log: disable source { network: 10.20.0.0/24 } destination { network: 10.10.0.0/24 } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Advises on configuring BGP
Well, yes - Vyatta has full BGP support, so you'll be able to peer with your provider. Best, Justin On Dec 10, 2007 7:26 PM, Poh Yong Hwang [EMAIL PROTECTED] wrote: Hi, New here and to Vynatta and hope to get advises on getting this up. I wish to setup a BGP router for our current setup (We have got our ASN number, IP range) and we will peer with our upstream provider for MLPA. Just some simple BGP routes for testing purposes. So just wondering if Vynatta is able to do that? Thanks! Yongsan ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Restricting traffic between networks
You also need to apply the firewall rules to an interface, as in firewall { in { name: inbound } local { name: inbound } } In the above case, it's for inbound traffic, and traffic destined for the router itself. Also remember that traffic will flow in both directions, unless you just want to block the inbound traffic from the development network. Your current rule 4 prevents new connections - as well as everything else ;-) Looks like your rules 1-3 should have the matching source and destination networks as rule 4; otherwise, that inbound traffic will only match rule 4, and not match one of the earlier rules for permitted traffic. Best, Justin You can do a show firewall to see the rules on the system, as well as enable logging for a rule to see where the traffic is being dropped. Justin On Dec 6, 2007 3:42 PM, Lance Franklin [EMAIL PROTECTED] wrote: After reading through the Quick Guide to Configuration Statements, I see: state { established: [enable|disable] new: [enable|disable] related: [enable|disable] invalid: [enable|disable] } How can I add this to my rule 4 to prevent new connections to the work network from the development network? Would it be: rule 4 { description: 10.10.0.0/24 protocol: all state { new: enable } action: drop log: disable source { network: 10.20.0.0/24 } destination { network: 10.10.0.0/24 } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] regarding source code
The application is independent of the Vyatta router functions, but you'll need the Vyatta build environment defined by other packages. If all you're looking for is iputils, you can get the Debian source package, or iproute functions from http://www.linux-foundation.org/en/Net:Iproute2 . Best, Justin On Nov 30, 2007 12:02 AM, sridhar chom [EMAIL PROTECTED] wrote: can we compile iputils alone by just downloading iputils .does it need ofr also ? Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Error: 102 Command failed TCP/UDP Protocol must be specified
Try VC3; there were a number of firewall issues addressed in that release. Best, Justin On Nov 29, 2007 10:48 AM, Alain Kelder [EMAIL PROTECTED] wrote: Hello, I'm trying to set protocols to all for a destination NAT rule. But Vyatta complains that it wants either TCP or UDP. However, in this awesome how-to, they did just that: http://www.openmaniak.com/vyatta_case6.php#ancre-configurations Here's what I tried: [EMAIL PROTECTED] edit service nat rule 35 [edit service/nat/rule/35] [EMAIL PROTECTED] set protocols all [edit service/nat/rule/35] [EMAIL PROTECTED] commit [edit service/nat/rule/35] Commit Failed 102 Command failed TCP/UDP Protocol must be specified What's weird is that 'tab' (auto complete) shows all as an option: [EMAIL PROTECTED] set protocols `protocols' is ambiguous. Possible completions: [Enter]Execute this command all Perform NAT on all protocol traffic icmp Perform NAT on ICMP traffic only tcp Perform NAT on TCP traffic only udp Perform NAT on UDP traffic only I'm able to set protocols to udp or tcp, but not all. What I'd like is this: rule 35 { type: destination translation-type: static inbound-interface: eth0 protocols: all source { network: 0.0.0.0/0 } destination { address: 65.xx.xx.xx port-number 53 } inside-address { address: 10.10.3.20 } } Interestingly, Vyatta accepts all for a source NAT rule: rule 39 { type: source translation-type: static outbound-interface: eth0 protocols: all source { address: 10.10.3.20 } destination { network: 0.0.0.0/0 } outside-address { address: 65.xx.xx.xx } } Any ideas? Thanks a bunch in advance.. I'm at a loss! [EMAIL PROTECTED] show version Version:VC2 Built by: [EMAIL PROTECTED] Built on: 200702080056 -- Thu Feb 8 00:56:19 UTC 2007 ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Compaq DL360 G1 - cpqarray
It's also an integrated system; you configure the entire router through the Vyatta interface, rather than running multiple programs and editing numerous and varied configuration files, all with different formats in entertaining locations. Justin On Nov 26, 2007 3:20 PM, Max [EMAIL PROTECTED] wrote: I am curious as to what makes Vyatta different from XORP other than the commercial support? Are there features in Vyatta that XORP does not have? On Nov 22, 2007 10:39 AM, silvertip257 [EMAIL PROTECTED] wrote: All righty ;) ... if you say so ... at this point I'm trying to learn all I can before I get a full time job as a net admin or something like that (I'm still in college at this point). The pinch time brings in weird proprietary crap called mainly Micr0$0ft, but I've been seeing lately Ci$c0 hasn't been much better ;). Maybe it's the outrageous prices for IOS compact flash cards we use in the networking labs. Hell the profs got smart and copied the IOS to a hard drive and then re-imaged them on $8 128MB compact flash cards. But just having such a price difference is a lotta crap. I'm seeing that when companies work with me and let me work with them, I understand their products more and actually want to roll their products out in a workplace. Good luck to you ... the above was nothing personal ... until I learn everything about Vyatta and customization, I will most likely not use it or suggest it in the workplace. No job is worth being fired b/c I suggested something I don't know (almost) everything about. That's an extreme example, but I hate screwing up or getting loads of criticism (unless it's truly constructive). Tell me how it goes. Vyatta is not out of the picture ... they're fixing features everyday. They also don't have all the hardware, nor have they had all of it tested with their OS. Have a good holiday, Mike On Nov 21, 2007 1:52 AM, Max [EMAIL PROTECTED] wrote: I've been a Linux guy for years but have never messed around with any of the boot CD stuff. This is going to be a learning thing for me for sure, so wish me luck ;) If I am unsucessful on my own (+misc support), I am afraid I am just going to lean twards buying a few cisco 7900's. It is the proven reliability and support that Cisco brings to the table. *note* I am a CCNP so I am a little biast, also down 8 pints of Guinness ;p From: silvertip257 [EMAIL PROTECTED] Sent: Tuesday, November 20, 2007 11:38 PM To: Max [EMAIL PROTECTED] Subject: Re: [Vyatta-users] Compaq DL360 G1 - cpqarray I'm reading it, but as I have not customized Vyatta myself yet, I really can't help you much. If you feel like it and learn something neat on how to build one a certain way, please do share the information! Mike On Nov 20, 2007 6:12 PM, Max [EMAIL PROTECTED] wrote: I have been unable to blacklist the sym53c8xx module from the boot loader so I am going to try to create another live CD with out the sym53c8xx in the initramfs. Unless anyone has any comments? On Nov 19, 2007 9:32 PM, Max [EMAIL PROTECTED] wrote: Hey'a fellas! I have a bit of a head scratcher here.. it seems the Vyatta 3.0 live CD does not work out of the box on G1 Compaq DL360's. From what I can tell the sym53c8xx module is loaded before the needed cpqarray module and thats what is causing the failure. I have tried unloading the modules and reloading cpqarray but don't seem to have any luck. My guess is the SCSI controller needs to be reset or what have you. Is there a way to prevent the sym53c8xx module from loading from the boot loader? Or should I look into recreating the live CD from scratch with my own kernel? Thanks in advance! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- // SilverTip257 // == Ubuntu 7.04 (Feisty Fawn) --- Linux for human beings. (http://www.ubuntu.com/) ~~ Helix --- Don't leave /home without it. (http://www.efense.com/helix/) -- // SilverTip257 // == Ubuntu 7.04 (Feisty Fawn) --- Linux for human beings. (http://www.ubuntu.com/) ~~ Helix --- Don't leave /home without it. (http://www.efense.com/helix/) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] install-system not working
Try running parted before install-system and deleting any existing partitions - I've had that work on stubborn systems before ;-) Best, Justin On Nov 24, 2007 1:43 PM, Rodrigo Romero III [EMAIL PROTECTED] wrote: I'm trying to install VC3 on a server but it's giving me this error: vyatta:/# install-system Welcome to the Vyatta install program. This script will walk you through the process of installing the Vyatta image to a local hard drive. Would you like to continue? (Yes/No) [Yes]: Probing drives: OK The Vyatta image will require a minimum 450MB root partition and a minimum 10MB configuration partition. Would you like me to try to partition a drive automatically or would you rather partition it manually with parted? If you have already setup your partitions, you may skip this step. Partition (Auto/Parted/Skip) [Auto]: I found the following drives on your system: sda8MB Install the image on? [sda]: This will destroy all data on /dev/sda. Continue? (Yes/No) [No]: Yes Cannot mount /dev/sda1. Please see install.log for more details. Exiting.. vyatta:/# vi install.log turning off swaps... Cannot mount /dev/sda1. mount /dev/sda1 /mnt/tmp Exiting... mount: you must specify the filesystem type -- Rodrigo Romero III General Manager Avetti Global Services Corp. An Avetti.com Company __ NOTE: This e-mail is confidential and is intended only for the recipient(s) listed. Unauthorized use, disclosure, total or partial retention, dissemination, distribution or copying of this message or the information contained in it is strictly prohibited and sanctioned by law. If you receive this message in error, or you are not a listed recipient or someone authorized to receive e-mail on behalf of a listed recipient, please reply to the sender that the e-mail was misdirected and delete the e-mail. Thank you. NOTA: Este correo electronico es confidencial y esta dirigido unicamente a los destinatarios listados. El uso no autorizado, divulgación, la total o parcial retención, diseminacion, distribucion o copia de este mensaje o la informacion contenida en el es estrictamente prohibida y es sancionada por la ley. Si usted recibe este mensaje por error, o usted no es uno de los destinatarios listados o una persona autorizada a recibir correo electronico en beneficio de uno de los destinatarios listados, favor responder al autor e informar que el correo electronico fue erroneamente dirigido a usted y elimine (borre) el correo . Gracias. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPsec configuration
Just routing - you're identifying which traffic sources and destinations that are tunneled. Best, Justin On Nov 21, 2007 5:57 PM, Philippe Marcais [EMAIL PROTECTED] wrote: What is the purpose of the following configuration line; tunnel 1 { local-subnet: 192.168.0.0/24 remote-subnet: 10.40.1.0/24 Why does the tunnel has to be link to a local subnet? In fact, I may have multiple local subnet from multiple interface or sub-interface using this IPsec tunnel. Same question regarding for the remote subnet. I do have multiple remote subnets that I'd like to reach out on the remote side. Thanks, Philippe ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] pbm vpn with vyatta router
There's nothing special about routing VPN packets from the view of the Vyatta router. You can see the traffic that the Vyatta is seeing using the integrated packet sniffer. While logged in as the root user, run tshark -n -i interface to see the packets. For full packet detail, add -V. Best, Justin On Nov 13, 2007 6:28 AM, [EMAIL PROTECTED] wrote: Hi, I'm using vyatta vc3 (virtual appliance). I have two firewall connecte to the router. I create a VPN between my two firewall but it seems that ISAKMP frame are not routing. Use case: - I create my policy for vpn - I launch a ping (since net 192.168.1.0) - I launch a tcpdump on fire cluster (blue one) - I can see ISAKMP frame - I launch a tcpdump on fire cluster (red one) - I don't see ISAKMP frame And it is the same when I do the contrary. Config that I have on my router: eth0 net 129.40.1.1 eth1 net 212.20.1.1 eth2.129 129.40.2.1 eth2.212 212.40.2.1 route are automted generate follwing interface that I have defined. This is all configuration that I do on vyatta router. It is possible to have a debug mode for see vpn frame on vyatta router, or another solution for see how frame are manage ?? Or other solution maybe router don't accepte VPN frame ... I don't know. Thanks for your help. (Embedded image moved to file: pic18467.jpg) -- Best Regards, Gregory Grimaux Tel: +33 4 97 23 43 36 http://www.stonesoft.com --- Subscribe to a Webletter on Trends in Network Security at: http://www.stonesoft.com/network_security/ ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Public to Public NAT
There really shouldn't be any difference when you NAT with a public address; it'll just be that your inside address is in public address space instead of private. Best, Justin On Nov 7, 2007 3:17 PM, David Marrow Jr [EMAIL PROTECTED] wrote: Does any one have any suggestions? How would I go about configuring a Public IP to Public IP NAT configuration? I'm in the ne st phase of my setup and one of my servers can not function in a DMZ Zone or a NAT Zone, the ip address due to software licensing has to be a Public IP. Please advise, thank you. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] subnet move/add/change misbehavior [grrrrr!]
No problem - I know exactly how you feel some days! And I'd missed the point that it didn't make into the system route table, so the first question I'd ask is whether the next hop you're specifying is directly connected? If it isn't, try using the IP address of the directly connected next hop router. If it is, well, there's a bit more to figure out, as I've never seen that behavior. To try a rephrase on the load config command, it'll make your running configuration match the configuration in the file (usually :-) ) Justin On Nov 5, 2007 8:52 PM, Aubrey Wells [EMAIL PROTECTED] wrote: Thanks for the response - sorry for my impatience. :-) I dont mind the viewing discrepancy, its the fact that vyatta doesn't recognize the existance of the routes - so I can't do anything with them. So you're saying load config.boot should fix the problem? Will that cause any downtime while it rereads the config, or should it be seamless? Also... maybe its just because its been a really long day, but this sentence doesn't make any sense: it'll remove everything that's not in the current configuration that's in the config file, and add the new commands from the config file. Could you possibly rephrase for me? :-) -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group 404.478.2790 www.sheltonjohns.com On Nov 5, 2007, at 11:31 PM, Justin Fletcher wrote: Good questions - I think you're just seeing a synchronization issue. If you see it in the system route table (route -n from the Linux shell or show route system forward from the CLI) it's really in the system RIB as the forwarding information base is updated from the RIB. However, show route looks at a different table, and can be somewhat out of sync. So - if you see the route from show route system forward it made it into the route tables correctly - you're just seeing a viewing discrepancy issue. Also, you can load the configuration using load config.boot in config mode; it'll remove everything that's not in the current configuration that's in the config file, and add the new commands from the config file. Best, Justin On Nov 5, 2007 8:08 PM, Aubrey Wells [EMAIL PROTECTED] wrote: Anyone? :-( -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group 404.478.2790 www.sheltonjohns.com On Nov 3, 2007, at 10:16 PM, Aubrey Wells wrote: Hi, I'm having this really frustrating problem where occasionally I will add an ip/network to vyatta, or delete an ip and readd it to the same interface with a different prefix-length or move it to a different interface (with a commit in between) and vyatta will not recognize that the ip/network has been added. For instance, this evening, I was attempting to add 8.17.X.253 /30 to interface eth1 on vif 1180. If i look at the system routing table, it is added on the correct interface and traffic passes to the host on the other side. But if I do a show route in vyatta the subnet is not there and as such, if I try to point a static route at it, the route instead gets added to whatever my default route is. for example: set protocols static route 1.2.3.0/8 next-hop 8.17.X.254 that gets added to the config file fine, but a show route shows it having a next hop of my default route. The system routing table does the same. Also, I cannot delete this route from the config without doing it by hand with VI and rebooting (says the route doesnt exist). Also, I tried to remove 8.17.X.113 /28 and readd it as 8.17.X.113 /27. I removed the ip, commited, and readded it. The subnet didnt show up in the vyatta routing table after a commit but it was in the system routing table (route -n). Traffic passed just fine. When I commit those changes, I see this in the messages log: Nov 4 01:49:47 vyatta xorp_fea: [ 2007/11/04 01:49:47 WARNING xorp_fea FEA ] Got update for address no in lib feaclient tree: eth0.1180/eth0.1180/8.17.X.253 Nov 4 01:49:47 vyatta xorp_fea: [ 2007/11/04 01:49:47 WARNING xorp_fea FEA ] Got update for address no in lib feaclient tree: eth1.54/eth1.54/8.17.X.113 If I save the config, and reboot the box, the configuration loads up just fine and all my subnets/routes are correct. This is not a solution, as this is my core router in a fast-growing network and I cant go around rebooting it every time I add a subnet. I'm running the last VC3 beta. (I havent upgraded to VC3 release because I didnt want to reboot the box without scheduling a window heh) This also happened in VC2.2. I'm not 100% sure about weather or not it happens on a PHY, but I think it did, although most of my stuff is on VIFs. Please help! Oh, and is there a way to get it to dump and reload the config from scratch without rebooting? These DELL's have a horrendous POST time because of the RAID, DRAC, and BMC BIOSes that all have to load (plus the overhead of checking 8G of memory)! -- Aubrey Wells
Re: [Vyatta-users] OSPF over high latency links
Obvious question, but is this set the same on the routers on both sides of the link? Justin On 10/23/07, Jon [EMAIL PROTECTED] wrote: Hi all, I have a problem with ospf loosing connection over high latency links. The link in question will induce a delay from minimum 1 sec to a maximum of more than 20 sec. (Yes, such links do exist:-/ ) I have tried to set the hello and router-dead intervals to 60 and 240 respectivly, but I still loose the connection. I have also tried to manipulate transmit-delay and retransmit in order to handle the latency (20 and 90secs) but no luck so far. Can anybody tell me why this happens, or at least what I can do to make ospf a bit more forgiving about delayed packages (If that is the problem...)? Thanks in advance, Jon ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VRRP Possible with Vyatta router? Or is there in-built rollover functions
This is available in the VC3 beta with the new clustering support. Best, Justin On 10/19/07, Daren Tay [EMAIL PROTECTED] wrote: Hi guys, I am looking to implement a redundant router setup (based on vyatta). Is it possible to use applications like Heartbeat to do this? Or can I do it with VRRP? Thanks! Daren ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Problems with Vyatta yum repo?
Yes, we ran into an issue with the repositories on Friday, and disabled the repository while we resolve the issue, Hope to have it back shortly - Justin On 10/15/07, Roar Bjørgum Rotvik [EMAIL PROTECTED] wrote: Hi, I see that the Vyatta yum repo under http://archive.vyatta.com/vyatta seems to be disabled, as the directory is renamed to vyatta-disabled. See http://archive.vyatta.com/: Index of / Icon NameLast modified Size Description [DIR] build-root/ 16-Aug-2007 12:44- [DIR] vyatta-disabled/13-Oct-2007 10:59- Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Server at archive.vyatta.com Port 80 This makes my local Vyatta ofr tree to fail during building as it tries to update packages from http://archive.vyatta.com/vyatta/. Any reason why this directory is renamed to vyatta-disabled and how and when this is going to be fixed. I took a quick search in the mailing lists, but did not see any mail related to this.. -- Roar Bjørgum Rotvik ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Nagios plugin
You certainly can; I monitor Vyatta routers with MRTG and Nagios. And, of course, there's Net-SNMP (see http://net-snmp.sourceforge.net/) if you're just looking for other open source SNMP tools. Looks like I'll have to check out JFFNMS :-) Justin On 10/10/07, SDamron [EMAIL PROTECTED] wrote: I am sure you can setup SNMP on it and monitor it with Nagios. On 10/10/07, Nicolas Kassis [EMAIL PROTECTED] wrote: Does anyone know if there is some Nagios plugin for vyatta in particular or has anyone written some check code? I'm curious to see if someone has something already written to monitor Vyatta with Nagios. Nic ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- No one can build his security upon the nobleness of another person. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Dropped packets from users at their end
Yes, it's outside of the router, and something to debug on the web server. From http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.3: 10.3.3 302 Found The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field. The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s). I'd see if the log file on the web server gives you more information. Justin On 10/9/07, Daren Tay [EMAIL PROTECTED] wrote: Hi guys, I am using Vyatta router for my web servers and recently, some users are complaining their connection to the web servers are getting cut off. I don't think its the routers fault, but i need to verify. Apparently they did a check on their proxy end and it seems to spew the following: HTTP/1.1 302 Object moved Location: http://domain.com/ Connection: closed Also, they did a packet capture on their proxy and they noticed that the connection was reseted by the web server with the above message at times. How should I go about resolving this? What does the 302 mean? Thanks! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Logging
By default, all major issues are logged at warning level or above, If you want to log everything, you can enable it in config mode: set system syslog global facility * level debug I'll sometimes track this using the root shell when I'm debugging a problem: tail -f /var/log/messages Justin On 10/9/07, Daren Tay [EMAIL PROTECTED] wrote: Hi there, thanks for the kind pointers. So if i want to use the default log (which I can view using show log) what options should I use? Daren -Original Message- From: Justin Fletcher [mailto:[EMAIL PROTECTED] Sent: Tuesday, 09 October 2007 11:45 To: Daren Tay Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Logging show log is also run outside of config mode -- You can run any command in config mode by putting run in front of it, as in run show log or run show interfaces. If you want to watch traffic, tshark is available from the root shell. Once you've run logged in as root, try tshark -i eth0 -n port 80 (assuming you want to monitor interface eth0). This will let you see all your web traffic. A lot of TCP retransmissions would be a sign of dropped packets somewhere along the path. Personally, I monitor the router with MRTG from http://oss.oetiker.ch/mrtg/ . Others prefer other monitoring tools, such as Cacti (http://www.cacti.net/). Justin On 10/8/07, Daren Tay [EMAIL PROTECTED] wrote: Ahh.. I Have to do show interfaces outside of config mode to see it... but is there any way to monitor http traffic only? Also, show log gives me this: ERROR: cannot show log because it doesn't exist. [edit] I missed something? Daren -Original Message- From: Justin Fletcher [mailto:[EMAIL PROTECTED] Sent: Tuesday, 09 October 2007 10:49 To: Daren Tay Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Logging Easiest way is with a show interfaces - it'll give you packet statistics. By default, the system logs at warning level, so any major issues will be visible using show log. Justin On 10/8/07, Daren Tay [EMAIL PROTECTED] wrote: Hi guys, I have been having problems with my web servers behind a vyatta router. I am thinking of trying to check if vyatta is dropping packets.. what should I do to find out? Also.. I realise under System, there's no logging. What's the minimal logging should I use to get useful information without overloading the system? Thanks! Daren ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Main Vyatta web Page mysteriously gone and no login prompt
It's a recent discovery tracked in the Bugzilla database. In the next release, the installation script checks for it, and ensures that you can't do that. Justin On 10/8/07, Scott Pickles [EMAIL PROTECTED] wrote: I agree with Jeff. I too installed Vyatta using the default prompts. If you are aware of the fact that installing root and config on the same partitions is an issue, why not either put a disclaimer in the documentation, the setup, or both? Regards, Scott On 10/8/07, Jeff [EMAIL PROTECTED] wrote: Mysteriously sometime between Thursday afternoon and Monday morning the vyatta main webpage is gone and I see the lighthttpd placeholder page nor is it prompting to allow the connection as it did before and i do not know why..??? Things were all there Thursday afternoon.. I have not rebotted vyatta, and vyatta seems to be running ok Anyone with any ideas? Jeff ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Logging
Easiest way is with a show interfaces - it'll give you packet statistics. By default, the system logs at warning level, so any major issues will be visible using show log. Justin On 10/8/07, Daren Tay [EMAIL PROTECTED] wrote: Hi guys, I have been having problems with my web servers behind a vyatta router. I am thinking of trying to check if vyatta is dropping packets.. what should I do to find out? Also.. I realise under System, there's no logging. What's the minimal logging should I use to get useful information without overloading the system? Thanks! Daren ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Logging
show log is also run outside of config mode -- You can run any command in config mode by putting run in front of it, as in run show log or run show interfaces. If you want to watch traffic, tshark is available from the root shell. Once you've run logged in as root, try tshark -i eth0 -n port 80 (assuming you want to monitor interface eth0). This will let you see all your web traffic. A lot of TCP retransmissions would be a sign of dropped packets somewhere along the path. Personally, I monitor the router with MRTG from http://oss.oetiker.ch/mrtg/ . Others prefer other monitoring tools, such as Cacti (http://www.cacti.net/). Justin On 10/8/07, Daren Tay [EMAIL PROTECTED] wrote: Ahh.. I Have to do show interfaces outside of config mode to see it... but is there any way to monitor http traffic only? Also, show log gives me this: ERROR: cannot show log because it doesn't exist. [edit] I missed something? Daren -Original Message- From: Justin Fletcher [mailto:[EMAIL PROTECTED] Sent: Tuesday, 09 October 2007 10:49 To: Daren Tay Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Logging Easiest way is with a show interfaces - it'll give you packet statistics. By default, the system logs at warning level, so any major issues will be visible using show log. Justin On 10/8/07, Daren Tay [EMAIL PROTECTED] wrote: Hi guys, I have been having problems with my web servers behind a vyatta router. I am thinking of trying to check if vyatta is dropping packets.. what should I do to find out? Also.. I realise under System, there's no logging. What's the minimal logging should I use to get useful information without overloading the system? Thanks! Daren ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Hard drive errors?
Yes, sounds like HD errors - I've installed this on systems without DMA, and there's just a DMA error on bootup error or two. Before you give up on your disk, run fsck (file system check) from the root shell - it might be able to find and fix a few errors for you. Best, Justin On 10/6/07, Scott Pickles [EMAIL PROTECTED] wrote: All, I recently installed Vyatta on an old laptop. Installation went fine, but when I run the router I get the following errors: 1. When I 'commit' changes, I receive the error no DRQ received after MULTIWRITE 2. I am seeing what appear to be hard drive errors such as EXT3-fs error on hda1 Sounds like just a bad HDD, right? Or is it perhaps something to do with DMA? Regards, Scott ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Simple bridge configuration keeps rtrmgr from starting
Any errors in /var/log/messages? If the router manager is running, show log will give you this information. Justin On 9/27/07, Art Perkins [EMAIL PROTECTED] wrote: I have setup a basic bridge. Built on: Wed Aug 22 00:18:00 UTC 2007 Build ID: 87b62b7-1a45b2b-518c9cc-a9aa9f8-4c29b36-2ce9322-200708220018 set interfaces bridge br0 commit set interfaces ethernet eth0 bridge-group bridge br0 set interfaces ethernet eth1 bridge-group bridge br0 commit save config.boot The bridge comes up no problem, however when I reboot, and attempt to get back into the CLI; I get the following; vyatta:~# xorpsh Waiting for xorp_rtrmgr... after a minute, it goes back to shell prompt. If I stop/start vyatta-rtrmgr, it starts ok but I have the same issue. To correct it I have to cp the config.boot.default and then restart rtrmgr. TIA Art Perkins ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] vyatta login
Do you have other hardware you could try the CD on? It's likely to be something specific with that particular system, or it's possible there's a problem that occurred when the CD itself was created. Thanks, Justin On 9/21/07, silvertip257 [EMAIL PROTECTED] wrote: Marat, Here are the results. I have not been able to configure anything yet, so there isn't anything in the /opt/vyatta/config/ directory. Upon executing this cmd: 'ps - ef | grep rtrmgr', I received this output, verifying that an instance of rtrmgr is running - root 4871 4827 0 15:47 tty1 00:00:00 grep rtrmgr Attached is the /var/log/messages log file and another updated one, from after I tried to run xorpsh as outlined in ebele okwuosa and Michael Larson's conversation about login difficulties with v2.2. Hope this is of some help and a solution can be arrived at. Thanks, Mike On 9/21/07, Marat Nepomnyashy [EMAIL PROTECTED] wrote: Hi Mike, The vyatta user login credentials are initialized by rtrmgr based on the information in the configuration file. The rtrmgr may have crashed before it would have initialized the login credentials. To test this hypothesis, login as root/vyatta, and do 'ps - ef | grep rtrmgr'. If the rtrmgr did crash, take a look in '/var/log/messages' for its error message. Most likely it did not like something in the configuration file. If you can, please send your configuration file as an attachment, also send '/var/log/messages'. -- Marat - Original Message - From: silvertip257 To: vyatta-users@mailman.vyatta.com Sent: Friday, September 21, 2007 12:15 PM Subject: [Vyatta-users] vyatta login I know this will seem to be a rather stupid post, but I cannot seem to get into my vyatta after booting Live from CD. I've got both the VC2 and 2.2 versions on livecd and have not changed a thing - I'm booting Live. My main goal is to use Camarillo ( 2.2) so I'm as up-to-date as possible. I type vyatta and vyatta for username and password, respectively. I get Login Incorrect. Despite that user, root and vyatta for username and password work fine. I've watched the screencast on the vyatta site, so I'm not missing anything that I need to know. I also have all the user/help manuals for vyatta, so I have resources and did my homework. Please help me out, as I've finally eliminated the hardware issues I had before. Thanks, Mike ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- // Silvertip257 // == Xubuntu 7.04 (Feisty Fawn) --- Linux for human beings. ( http://www.xubuntu.org/ ) ~~ Helix --- Don't leave /home without it. (http://www.efense.com/helix/ ) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] vyatta login
Thanks! The logs help, and show that the router manager failed to start up, apparently due to an issue with your ethernet card. Since the router manager didn't start, you'll be unable to log in as user vyatta, as it expects to communicate with the router manager. Unfortunately, it's not clear what the issue was; commands dmesg and lspci may provide diagnostics information. I'm not a kernel or hardware expert, but if you attach the output of the commands, I know that there are experts on the list :-) Best, Justin On 9/22/07, silvertip257 [EMAIL PROTECTED] wrote: Justin, sure -- didn't I attach my /var/log/messages to the email I sent to the list? ah well, here they are anyhow. Also like I told Marat, I was just trying to boot from my livecd, so I had no configuration any different than would be customary for the live environment. These are the whole thing/files: var_log_mesg.txt is the /var/log/messages file right after the livecd booted. v_l_msg_updt.txt is the /var/log/messages file after I tried to run xorpsh as root user. For just the last entry or so of v_l_msg_updt.txt (AFTER trying to use 'xorpsh'), here it is: /home/autobuild/builds/master/2007-08-23-1113/ofr/xorp/xorp/rtrmgr/xorpsh_main.cc wait_for_xrl_router_ready ] XrlRouter failed. No Finder? Sep 21 15:52:07 vyatta xorpsh: [ 2007/09/21 15:52:07 ERROR xorpsh:4891 RTRMGR +890 /home/autobuild/builds/master/2007-08-23-1113/ofr/xorp/xorp/rtrmgr/xorpsh_main.cc main ] xorpsh exiting due to an init error: Failed to connect to the router manager Sep 21 15:52:30 vyatta login[4894]: (pam_unix) check pass; user unknown Here's part of the file var_log_mesg.txt (BEFORE I started do various things to get the xorp shell running): Failed 10 times to connect to finder.sock: No such file or directory Sep 21 15:00:36 vyatta login[4764]: (pam_unix) check pass; user unknown Sep 21 15:00:55 vyatta login[4764]: (pam_unix) check pass; user unknown Sep 21 15:03:49 vyatta login[4788]: (pam_unix) check pass; user unknown Sep 21 15:04:04 vyatta login[4788]: (pam_unix) check pass; user unknown Sep 21 15:05:45 vyatta login[4802]: (pam_unix) check pass; user unknown Sep 21 15:05:51 vyatta login[4802]: (pam_unix) check pass; user unknown Hopefully this helps. Thanks for your interest, Mike On 9/21/07, Justin Fletcher [EMAIL PROTECTED] wrote: Well, piffle. If xorpsh didn't start the CLI, tends to indicate that there are other problems. Can you cut and paste the last log entries when you get a chance, and post it to the list as well? Best, Justin On 9/21/07, silvertip257 [EMAIL PROTECTED] wrote: Justin, I tried xorpsh and it didn't seem to get me anywhere. When I took a look at /var/log/messages again after running that cmd, I think there was another error message logged to the file. I'll have to check on that later. But vyatta/vyatta isn't getting me into the LiveCD system. Time to go to work, but I'll update this as I find something new. Thanks, Mike On 9/21/07, Justin Fletcher [EMAIL PROTECTED] wrote: vyatta/vyatta should certainly be correct. Since you can log in as root/vyatta, just run xorpsh as root; it'll put you in the Vyatta CLI. As Marat pointed out, there may be useful information in /var/log/messages, or show log from the CLI to help solve the issues logging as vyatta. Best, Justin On 9/21/07, silvertip257 [EMAIL PROTECTED] wrote: I know this will seem to be a rather stupid post, but I cannot seem to get into my vyatta after booting Live from CD. I've got both the VC2 and 2.2 versions on livecd and have not changed a thing - I'm booting Live. My main goal is to use Camarillo ( 2.2 ) so I'm as up-to-date as possible. I type vyatta and vyatta for username and password, respectively. I get Login Incorrect. Despite that user, root and vyatta for username and password work fine. I've watched the screencast on the vyatta site, so I'm not missing anything that I need to know. I also have all the user/help manuals for vyatta, so I have resources and did my homework. Please help me out, as I've finally eliminated the hardware issues I had before. Thanks, Mike ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- // Silvertip257 // == Xubuntu 7.04 (Feisty Fawn) --- Linux for human beings. ( http://www.xubuntu.org/) ~~ Helix --- Don't leave /home without it. (http://www.efense.com/helix/) -- // Silvertip257 // == Xubuntu 7.04 (Feisty Fawn) --- Linux for human beings. (http://www.xubuntu.org
Re: [Vyatta-users] Question about VPN's
There should be no required configuration on the Vyatta; from the point of view of the router, it's just packets. The VPN will need to be configured to support NAT traversal, of course, as it looks like you're using NAT. Dropped VPN connections are not likely to be an issue with the Vyatta router, unless there are packet loss issues. In both cases, things can be fine in the morning, until enough other users log on and either the traffic or the license limits are reached :-) Best, Justin On 8/23/07, Dan Darden [EMAIL PROTECTED] wrote: Dear List: I am a new Vyatta user. We have it working fairly well and it ROCKS... However just one question.. I have a user that is trying to connect to his company's VPN through our network. We do not want to set up a VPN of any kind, rather just be able to allow pass-through traffic. What is the fastest, easiest way to handle this? We are thinking it is the Sep VPN Nat Traversal command. Is this correct? Also, to complicate matters, (or to ask another question), our router is currently configured to use NAT to pass all packets from inside to outside and vice versa. We have no firewall and no ports are being blocked. Yet this same user is saying that his VPN connection works sometimes. Like an hour in the morning and then not at all after that. If our configuration has stayed the same, and he can connect to his VPN at any point, then would the Vyatta config even be causing the problem or would we need to look somewhere else? His company tells him that it is not on their end, and you know the drill. We are hoping to be able to say it is not on ours as well, but those games are never very fun for the users. Any thoughts? Thanks, Dan Darden. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users