WLAN/WIFI - Wireless LAN
WLAN interface provide 802.11 (a/b/g/n/ac) wireless support (commonly referred to as Wi-Fi) by means of compatible hardware. If your hardware supports it, VyOS supports multiple logical wireless interfaces per physical device.
There are three modes of operation for a wireless interface:
WAP provides network access to connecting stations if the physical hardware supports acting as a WAP
A station acts as a Wi-Fi client accessing the network through an available WAP
Monitor, the system passively monitors any kind of wireless traffic
If the system detects an unconfigured wireless device, it will be automatically added the configuration tree, specifying any detected settings (for example, its MAC address) and configured to run in monitor mode.
Configuration
Common interface configuration
Configure interface <interface> with one or more interface addresses.
address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
dhcp interface address is received by DHCP from a DHCP server on this segment.
dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Note
When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces wireless wlan0 address 192.0.2.1/24
set interfaces wireless wlan0 address 2001:db8::1/64
set interfaces wireless wlan0 address dhcp
set interfaces wireless wlan0 address dhcpv6
Set a human readable, descriptive alias for this connection. Alias is used by
e.g. the show interfaces command or SNMP based monitoring tools.
Example:
set interfaces wireless wlan0 description 'This is an awesome interface running on VyOS'
Disable given <interface>. It will be placed in administratively down
(A/D) state.
Example:
set interfaces wireless wlan0 disable
Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:
set interfaces wireless wlan0 disable-flow-control
Use this command to direct an interface to not detect any physical state changes on a link, for example, when the cable is unplugged.
Default is to detects physical link state changes.
Example:
set interfaces wireless wlan0 disable-link-detect
Configure user defined MAC address on given <interface>.
Example:
set interfaces wireless wlan0 mac '00:01:02:03:04:05'
Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:
set interfaces wireless wlan0 mtu 1600
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
Note
This command was introduced in VyOS 1.4 - it was previously called:
set firewall options interface <name> adjust-mss <value>
Hint
MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.
Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.
Once a neighbor has been found, the entry is considered to be valid for at least for this specific time. An entry’s validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:
set interfaces wireless wlan0 ip arp-cache-timeout 180
If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:
set interfaces wireless wlan0 ip disable-arp-filter
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
set interfaces wireless wlan0 ip disable-forwarding
Define different modes for IP directed broadcast forwarding as described in RFC 1812 and RFC 2644.
If configured, incoming IP directed broadcast packets on this interface will be forwarded.
If this option is unset (default), incoming IP directed broadcast packets will not be forwarded.
set interfaces wireless wlan0 ip enable-directed-broadcast
Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless if this setting is on or off.
set interfaces wireless wlan0 ip enable-arp-accept
Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2.
set interfaces wireless wlan0 ip enable-arp-announce
Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.
set interfaces wireless wlan0 ip enable-arp-ignore
Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded appropriately by the system.
Example:
set interfaces wireless wlan0 ip enable-proxy-arp
Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.
Note
Does not need to be used together with proxy_arp.
This technology is known by different names:
In RFC 3069 it is called VLAN Aggregation
Cisco and Allied Telesyn call it Private VLAN
Hewlett-Packard call it Source-Port filtering or port-isolation
Ericsson call it MAC-Forced Forwarding (RFC Draft)
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
disable: No source validation
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface in question.
Example:
set interfaces wireless wlan0 ipv6 address autoconf
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:
set interfaces wireless wlan0 ipv6 address eui64 2001:db8:beef::/64
Do not assign a link-local IPv6 address to this interface.
Example:
set interfaces wireless wlan0 ipv6 address no-default-link-local
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
Example:
set interfaces wireless wlan0 ipv6 disable-forwarding
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
Note
This command was introduced in VyOS 1.4 - it was previously called:
set firewall options interface <name> adjust-mss6 <value>
Hint
MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432 bytes on a 1492 byte MTU.
Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.
Whether to accept DAD (Duplicate Address Detection).
0: Disable DAD
1: Enable DAD (default)
2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found.
Example:
set interfaces wireless wlan0 ipv6 accept-dad 2
The amount of Duplicate Address Detection probes to send.
Default: 1
Example:
set interfaces wireless wlan0 ipv6 dup-addr-detect-transmits 5
Place interface in given VRF instance.
See also
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:
set interfaces wireless wlan0 vrf red
DHCP(v6)
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the ‘client identifier’ option. If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’ in all subsequent messages, and the server MUST use that identifier to identify the client.
Example:
set interfaces wireless wlan0 dhcp-options client-id 'foo-bar'
Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:
set interfaces wireless wlan0 dhcp-options host-name 'VyOS'
This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard.
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:
set interfaces wireless wlan0 dhcp-options vendor-class-id 'VyOS'
Only request an address from the DHCP server but do not request a default gateway.
Example:
set interfaces wireless wlan0 dhcp-options no-default-route
Set the distance for the default gateway sent by the DHCP server.
Example:
set interfaces wireless wlan0 dhcp-options default-route-distance 220
Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting.
address can be specified multiple times, e.g. 192.168.100.1 and/or 192.168.100.0/24
Example:
set interfaces wireless wlan0 dhcp-options reject 192.168.100.0/24
This option is used by some DHCP clients as a way for users to specify identifying information to the client. This can be used in a similar way to the vendor-class-identifier option, but the value of the option is specified by the user, not the vendor.
Example:
set interfaces wireless wlan0 dhcp-options user-class VyOS
The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client.
set interfaces wireless wlan0 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix.
set interfaces wireless wlan0 dhcpv6-options no-release
This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes.
set interfaces wireless wlan0 dhcpv6-options parameters-only
When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an immediate reply instead of advertisements.
set interfaces wireless wlan0 dhcpv6-options rapid-commit
Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses) partnership.
set interfaces wireless wlan0 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks.
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix (if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:
set interfaces wireless wlan0 dhcpv6-options pd 0 length 56
Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local
address on this router of <prefix>::ffff, as the address 65534 will
correspond to ffff in hexadecimal notation.
set interfaces wireless wlan0 dhcpv6-options pd 0 interface eth8 address 65534
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.
set interfaces wireless wlan0 dhcpv6-options pd 0 interface eth8 sla-id 1
Wireless options
Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173
Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed to indicate country in which device is operating. This can limit available channels and transmit power.
Note
This option is mandatory in Access-Point mode.
Send empty SSID in beacons and ignore probe request frames that do not specify full SSID, i.e., require stations to know SSID.
Disassociate stations based on excessive transmission failures or other indications of connection loss.
This depends on the driver capabilities and may not be available with all drivers.
Client isolation can be used to prevent low-level bridging of frames between associated stations in the BSS.
By default, this bridging is allowed.
Maximum number of stations allowed in station table. New stations will be rejected after the station table is full. IEEE 802.11 has a limit of 2007 different association IDs, so this number should not be larger than that.
This defaults to 2007.
Management Frame Protection (MFP) according to IEEE 802.11w
Operation mode of wireless radio.
a- 802.11a - 54 Mbits/secb- 802.11b - 11 Mbits/secg- 802.11g - 54 Mbits/sec (default)n- 802.11n - 600 Mbits/secac- 802.11ac - 1300 Mbits/sec
Wireless hardware device used as underlay radio.
This defaults to phy0.
Add Power Constraint element to Beacon and Probe Response frames.
This option adds Power Constraint element when applicable and Country element is added. Power Constraint element is required by Transmit Power Control.
Valid values are 0..255.
Wireless device type for this interface
access-point- Access-point forwards packets between other nodesstation- Connects to another access pointmonitor- Passively monitor all packets on the frequency/channel
Provides a per-device control to enable/disable the threaded mode for all the NAPI instances of the given network device, without the need for a device up/down.
If CLI option is not specified, this feature is disabled.
Example:
set interfaces wireless wlan0 per-client-thread
PPDU
HT (High Throughput) capabilities (802.11n)
Device is incapable of 40 MHz, do not advertise. This sets [40-INTOLERANT]
WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
Supported channel width set.
ht40-- Both 20 MHz and 40 MHz with secondary channel below the primary channelht40+- Both 20 MHz and 40 MHz with secondary channel above the primary channel
Note
There are limits on which channels can be used with HT40- and HT40+. Following table shows the channels that may be available for HT40- and HT40+ use per IEEE 802.11n Annex J:
Depending on the location, not all of these channels may be available for use!
freq HT40- HT40+
2.4 GHz 5-13 1-7 (1-9 in Europe/Japan)
5 GHz 40,48,56,64 36,44,52,60
Note
40 MHz channels may switch their primary and secondary channels if needed or creation of 40 MHz channel maybe rejected based on overlapping BSSes. These changes are done automatically when hostapd is setting up the 40 MHz channel.
Enable HT-delayed Block Ack [DELAYED-BA]
DSSS/CCK Mode in 40 MHz, this sets [DSSS_CCK-40]
This enables the greenfield option which sets the [GF] option
Enable L-SIG TXOP protection capability
Maximum A-MSDU length 3839 (default) or 7935 octets
Short GI capabilities for 20 and 40 MHz
Spatial Multiplexing Power Save (SMPS) settings
Enable receiving PPDU using STBC (Space Time Block Coding)
VHT (Very High Throughput) capabilities (802.11ac)
Set if antenna pattern does not change during the lifetime of an association
Beamforming capabilities:
single-user-beamformer- Support for operation as single user beamformersingle-user-beamformee- Support for operation as single user beamformeemulti-user-beamformer- Support for operation as single user beamformermulti-user-beamformee- Support for operation as single user beamformer
VHT operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)
VHT operating channel center frequency - center freq 2 (for use with the 80+80 mode)
<number> must be from 34 - 173. For 80 MHz channels it should be channel + 6.
0- 20 or 40 MHz channel width (default)1- 80 MHz channel width2- 160 MHz channel width3- 80+80 MHz channel width
Enable LDPC (Low Density Parity Check) coding capability
VHT link adaptation capabilities
Increase Maximum MPDU length to 7991 or 11454 octets (default 3895 octets)
Set the maximum length of A-MPDU pre-EOF padding that the station can receive
Enable receiving PPDU using STBC (Space Time Block Coding)
Enable sending PPDU using STBC (Space Time Block Coding)
Wireless options (Station/Client)
The example creates a wireless station (commonly referred to as Wi-Fi client)
that accesses the network through the WAP defined in the above example. The
default physical device (phy0) is used.
set interfaces wireless wlan0 type station
set interfaces wireless wlan0 address dhcp
set interfaces wireless wlan0 country-code de
set interfaces wireless wlan0 ssid Test
set interfaces wireless wlan0 security wpa passphrase '12345678'
Resulting in
interfaces {
[...]
wireless wlan0 {
address dhcp
country-code de
security {
wpa {
passphrase "12345678"
}
}
ssid TEST
type station
}
Security
WPA and WPA2 Enterprise in combination with 802.1x based authentication can be used to authenticate users or computers in a domain.
The wireless client (supplicant) authenticates against the RADIUS server (authentication server) using an EAP method configured on the RADIUS server. The WAP (also referred to as authenticator) role is to send all authentication messages between the supplicant and the configured authentication server, thus the RADIUS server is responsible for authenticating the users.
The WAP in this example has the following characteristics:
IP address
192.168.2.1/24Network ID (SSID)
Enterprise-TESTWPA passphrase
12345678Use 802.11n protocol
Wireless channel
1RADIUS server at
192.168.3.10with shared-secretVyOSPassword
set interfaces wireless wlan0 address '192.168.2.1/24'
set interfaces wireless wlan0 country-code de
set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 mode n
set interfaces wireless wlan0 ssid 'TEST'
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa radius server 192.168.3.10 key 'VyOSPassword'
set interfaces wireless wlan0 security wpa radius server 192.168.3.10 port 1812
Resulting in
interfaces {
[...]
wireless wlan0 {
address 192.168.2.1/24
country-code de
channel 1
mode n
security {
wpa {
cipher CCMP
mode wpa2
radius {
server 192.168.3.10 {
key 'VyOSPassword'
port 1812
}
}
}
}
ssid "Enterprise-TEST"
type access-point
}
}
VLAN
Regular VLANs (802.1q)
IEEE 802.1q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration Protocol.
Portions of the network which are VLAN-aware (i.e., IEEE 802.1q conformant) can include VLAN tags. When a frame enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not contain a VLAN tag is assumed to be flowing on the native VLAN.
The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging) and much of the IEEE 802.1d standard.
802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The
term used for this is vif.
Create a new VLAN interface on interface <interface> using the VLAN number provided via <vlan-id>.
You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094.
Note
Only 802.1Q-tagged packets are accepted on Ethernet vifs.
Configure interface <interface> with one or more interface addresses.
address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
dhcp interface address is received by DHCP from a DHCP server on this segment.
dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Note
When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces wireless wlan0 vif 10 address 192.0.2.1/24
set interfaces wireless wlan0 vif 10 address 2001:db8::1/64
set interfaces wireless wlan0 vif 10 address dhcp
set interfaces wireless wlan0 vif 10 address dhcpv6
Set a human readable, descriptive alias for this connection. Alias is used by
e.g. the show interfaces command or SNMP based monitoring tools.
Example:
set interfaces wireless wlan0 vif 10 description 'This is an awesome interface running on VyOS'
Disable given <interface>. It will be placed in administratively down
(A/D) state.
Example:
set interfaces wireless wlan0 vif 10 disable
Use this command to direct an interface to not detect any physical state changes on a link, for example, when the cable is unplugged.
Default is to detects physical link state changes.
Example:
set interfaces wireless wlan0 vif 10 disable-link-detect
Configure user defined MAC address on given <interface>.
Example:
set interfaces wireless wlan0 vif 10 mac '00:01:02:03:04:05'
Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:
set interfaces wireless wlan0 vif 10 mtu 1600
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
Note
This command was introduced in VyOS 1.4 - it was previously called:
set firewall options interface <name> adjust-mss <value>
Hint
MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.
Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.
Once a neighbor has been found, the entry is considered to be valid for at least for this specific time. An entry’s validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:
set interfaces wireless wlan0 vif 10 ip arp-cache-timeout 180
If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:
set interfaces wireless wlan0 vif 10 ip disable-arp-filter
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
set interfaces wireless wlan0 vif 10 ip disable-forwarding
Define different modes for IP directed broadcast forwarding as described in RFC 1812 and RFC 2644.
If configured, incoming IP directed broadcast packets on this interface will be forwarded.
If this option is unset (default), incoming IP directed broadcast packets will not be forwarded.
set interfaces wireless wlan0 vif 10 ip enable-directed-broadcast
Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless if this setting is on or off.
set interfaces wireless wlan0 vif 10 ip enable-arp-accept
Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2.
set interfaces wireless wlan0 vif 10 ip enable-arp-announce
Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.
set interfaces wireless wlan0 vif 10 ip enable-arp-ignore
Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded appropriately by the system.
Example:
set interfaces wireless wlan0 vif 10 ip enable-proxy-arp
Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.
Note
Does not need to be used together with proxy_arp.
This technology is known by different names:
In RFC 3069 it is called VLAN Aggregation
Cisco and Allied Telesyn call it Private VLAN
Hewlett-Packard call it Source-Port filtering or port-isolation
Ericsson call it MAC-Forced Forwarding (RFC Draft)
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
disable: No source validation
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface in question.
Example:
set interfaces wireless wlan0 vif 10 ipv6 address autoconf
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:
set interfaces wireless wlan0 vif 10 ipv6 address eui64 2001:db8:beef::/64
Do not assign a link-local IPv6 address to this interface.
Example:
set interfaces wireless wlan0 vif 10 ipv6 address no-default-link-local
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
Example:
set interfaces wireless wlan0 vif 10 ipv6 disable-forwarding
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
Note
This command was introduced in VyOS 1.4 - it was previously called:
set firewall options interface <name> adjust-mss6 <value>
Hint
MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432 bytes on a 1492 byte MTU.
Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.
Whether to accept DAD (Duplicate Address Detection).
0: Disable DAD
1: Enable DAD (default)
2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found.
Example:
set interfaces wireless wlan0 vif 10 ipv6 accept-dad 2
The amount of Duplicate Address Detection probes to send.
Default: 1
Example:
set interfaces wireless wlan0 vif 10 ipv6 dup-addr-detect-transmits 5
Place interface in given VRF instance.
See also
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:
set interfaces wireless wlan0 vif 10 vrf red
DHCP(v6)
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the ‘client identifier’ option. If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’ in all subsequent messages, and the server MUST use that identifier to identify the client.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options client-id 'foo-bar'
Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options host-name 'VyOS'
This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard.
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options vendor-class-id 'VyOS'
Only request an address from the DHCP server but do not request a default gateway.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options no-default-route
Set the distance for the default gateway sent by the DHCP server.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options default-route-distance 220
Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting.
address can be specified multiple times, e.g. 192.168.100.1 and/or 192.168.100.0/24
Example:
set interfaces wireless wlan0 vif 10 dhcp-options reject 192.168.100.0/24
This option is used by some DHCP clients as a way for users to specify identifying information to the client. This can be used in a similar way to the vendor-class-identifier option, but the value of the option is specified by the user, not the vendor.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options user-class VyOS
The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client.
set interfaces wireless wlan0 vif 10 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix.
set interfaces wireless wlan0 vif 10 dhcpv6-options no-release
This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes.
set interfaces wireless wlan0 vif 10 dhcpv6-options parameters-only
When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an immediate reply instead of advertisements.
set interfaces wireless wlan0 vif 10 dhcpv6-options rapid-commit
Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses) partnership.
set interfaces wireless wlan0 vif 10 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks.
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix (if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:
set interfaces wireless wlan0 vif 10 dhcpv6-options pd 0 length 56
Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local
address on this router of <prefix>::ffff, as the address 65534 will
correspond to ffff in hexadecimal notation.
set interfaces wireless wlan0 vif 10 dhcpv6-options pd 0 interface eth8 address 65534
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.
set interfaces wireless wlan0 vif 10 dhcpv6-options pd 0 interface eth8 sla-id 1
QinQ (802.1ad)
Call for Contributions
This section needs improvements, examples and explanations.
Please take a look at the Contributing Guide for our Write Documentation.
IEEE 802.1ad was an Ethernet networking standard informally known as QinQ as an amendment to IEEE standard 802.1q VLAN interfaces as described above. 802.1ad was incorporated into the base 802.1q standard in 2011. The technique is also known as provider bridging, Stacked VLANs, or simply QinQ or Q-in-Q. “Q-in-Q” can for supported devices apply to C-tag stacking on C-tag (Ethernet Type = 0x8100).
The original 802.1q specification allows a single Virtual Local Area Network (VLAN) header to be inserted into an Ethernet frame. QinQ allows multiple VLAN tags to be inserted into a single frame, an essential capability for implementing Metro Ethernet network topologies. Just as QinQ extends 802.1Q, QinQ itself is extended by other Metro Ethernet protocols.
In a multiple VLAN header context, out of convenience the term “VLAN tag” or just “tag” for short is often used in place of “802.1q VLAN header”. QinQ allows multiple VLAN tags in an Ethernet frame; together these tags constitute a tag stack. When used in the context of an Ethernet frame, a QinQ frame is a frame that has 2 VLAN 802.1q headers (double-tagged).
In VyOS the terms vif-s and vif-c stand for the ethertype tags that
are used.
The inner tag is the tag which is closest to the payload portion of the frame. It is officially called C-TAG (customer tag, with ethertype 0x8100). The outer tag is the one closer/closest to the Ethernet header, its name is S-TAG (service tag with Ethernet Type = 0x88a8).
Configure interface <interface> with one or more interface addresses.
address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
dhcp interface address is received by DHCP from a DHCP server on this segment.
dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Note
When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 address 192.0.2.1/24
set interfaces wireless wlan0 vif-s 1000 vif-c 20 address 2001:db8::1/64
set interfaces wireless wlan0 vif-s 1000 vif-c 20 address dhcp
set interfaces wireless wlan0 vif-s 1000 vif-c 20 address dhcpv6
Set a human readable, descriptive alias for this connection. Alias is used by
e.g. the show interfaces command or SNMP based monitoring tools.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 description 'This is an awesome interface running on VyOS'
Disable given <interface>. It will be placed in administratively down
(A/D) state.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 disable
Use this command to direct an interface to not detect any physical state changes on a link, for example, when the cable is unplugged.
Default is to detects physical link state changes.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 disable-link-detect
Configure user defined MAC address on given <interface>.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 mac '00:01:02:03:04:05'
Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 mtu 1600
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
Note
This command was introduced in VyOS 1.4 - it was previously called:
set firewall options interface <name> adjust-mss <value>
Hint
MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.
Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.
Once a neighbor has been found, the entry is considered to be valid for at least for this specific time. An entry’s validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip arp-cache-timeout 180
If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip disable-arp-filter
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip disable-forwarding
Define different modes for IP directed broadcast forwarding as described in RFC 1812 and RFC 2644.
If configured, incoming IP directed broadcast packets on this interface will be forwarded.
If this option is unset (default), incoming IP directed broadcast packets will not be forwarded.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-directed-broadcast
Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless if this setting is on or off.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-arp-accept
Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-arp-announce
Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-arp-ignore
Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded appropriately by the system.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-proxy-arp
Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.
Note
Does not need to be used together with proxy_arp.
This technology is known by different names:
In RFC 3069 it is called VLAN Aggregation
Cisco and Allied Telesyn call it Private VLAN
Hewlett-Packard call it Source-Port filtering or port-isolation
Ericsson call it MAC-Forced Forwarding (RFC Draft)
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
disable: No source validation
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface in question.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 address autoconf
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 address eui64 2001:db8:beef::/64
Do not assign a link-local IPv6 address to this interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 address no-default-link-local
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 disable-forwarding
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
Note
This command was introduced in VyOS 1.4 - it was previously called:
set firewall options interface <name> adjust-mss6 <value>
Hint
MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432 bytes on a 1492 byte MTU.
Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.
Whether to accept DAD (Duplicate Address Detection).
0: Disable DAD
1: Enable DAD (default)
2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 accept-dad 2
The amount of Duplicate Address Detection probes to send.
Default: 1
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 dup-addr-detect-transmits 5
Place interface in given VRF instance.
See also
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 vrf red
DHCP(v6)
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the ‘client identifier’ option. If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’ in all subsequent messages, and the server MUST use that identifier to identify the client.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options client-id 'foo-bar'
Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options host-name 'VyOS'
This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard.
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options vendor-class-id 'VyOS'
Only request an address from the DHCP server but do not request a default gateway.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options no-default-route
Set the distance for the default gateway sent by the DHCP server.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options default-route-distance 220
Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting.
address can be specified multiple times, e.g. 192.168.100.1 and/or 192.168.100.0/24
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options reject 192.168.100.0/24
This option is used by some DHCP clients as a way for users to specify identifying information to the client. This can be used in a similar way to the vendor-class-identifier option, but the value of the option is specified by the user, not the vendor.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options user-class VyOS
The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options no-release
This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options parameters-only
When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an immediate reply instead of advertisements.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options rapid-commit
Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses) partnership.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks.
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix (if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 length 56
Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local
address on this router of <prefix>::ffff, as the address 65534 will
correspond to ffff in hexadecimal notation.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface eth8 address 65534
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface eth8 sla-id 1
Operation
Use this command to view operational status and wireless-specific information about all wireless interfaces.
vyos@vyos:~$ show interfaces wireless info
Interface Type SSID Channel
wlan0 access-point VyOS-TEST-0 1
Use this command to view operational status and details wireless-specific information about all wireless interfaces.
vyos@vyos:~$ show interfaces wireless detail
wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff
inet xxx.xxx.99.254/24 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:fe54:2fc3/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
66072 282 0 0 0 0
TX: bytes packets errors dropped carrier collisions
83413 430 0 0 0 0
wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff
inet xxx.xxx.100.254/24 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:ffff:2ed3/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
166072 5282 0 0 0 0
TX: bytes packets errors dropped carrier collisions
183413 5430 0 0 0 0
This command shows both status and statistics on the specified wireless interface. The wireless interface identifier can range from wlan0 to wlan999.
vyos@vyos:~$ show interfaces wireless wlan0
wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff
inet xxx.xxx.99.254/24 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:fe54:2fc3/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
66072 282 0 0 0 0
TX: bytes packets errors dropped carrier collisions
83413 430 0 0 0 0
This command gives a brief status overview of a specified wireless interface. The wireless interface identifier can range from wlan0 to wlan999.
vyos@vyos:~$ show interfaces wireless wlan0 brief
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
wlan0 192.168.2.254/24 u/u
Use this command to view wireless interface queue information. The wireless interface identifier can range from wlan0 to wlan999.
vyos@vyos:~$ show interfaces wireless wlan0 queue
qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 810323 bytes 6016 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
This command is used to retrieve information about WAP within the range of your wireless interface. This command is useful on wireless interfaces configured in station mode.
Note
Scanning is not supported on all wireless drivers and wireless hardware. Refer to your driver and wireless hardware documentation for further details.
vyos@vyos:~$ show interfaces wireless wlan0 scan
Address SSID Channel Signal (dbm)
00:53:3b:88:6e:d8 WLAN-576405 1 -64.00
00:53:3b:88:6e:da Telekom_FON 1 -64.00
00:53:00:f2:c2:a4 BabyView_F2C2A4 6 -60.00
00:53:3b:88:6e:d6 Telekom_FON 100 -72.00
00:53:3b:88:6e:d4 WLAN-576405 100 -71.00
00:53:44:a4:96:ec KabelBox-4DC8 56 -81.00
00:53:d9:7a:67:c2 WLAN-741980 1 -75.00
00:53:7c:99:ce:76 Vodafone Homespot 1 -86.00
00:53:44:a4:97:21 KabelBox-4DC8 1 -78.00
00:53:44:a4:97:21 Vodafone Hotspot 1 -79.00
00:53:44:a4:97:21 Vodafone Homespot 1 -79.00
00:53:86:40:30:da Telekom_FON 1 -86.00
00:53:7c:99:ce:76 Vodafone Hotspot 1 -86.00
00:53:44:46:d2:0b Vodafone Hotspot 1 -87.00
Examples
The following example creates a WAP. When configuring multiple WAP interfaces, you must specify unique IP addresses, channels, Network IDs commonly referred to as SSID, and MAC addresses.
The WAP in this example has the following characteristics:
IP address
192.168.2.1/24Network ID (SSID)
TESTWPA passphrase
12345678Use 802.11n protocol
Wireless channel
1
set interfaces wireless wlan0 address '192.168.2.1/24'
set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 mode n
set interfaces wireless wlan0 ssid 'TEST'
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa passphrase '12345678'
set interfaces wireless wlan0 country-code de
Resulting in
interfaces {
[...]
wireless wlan0 {
address 192.168.2.1/24
channel 1
country-code de
mode n
security {
wpa {
cipher CCMP
mode wpa2
passphrase "12345678"
}
}
ssid "TEST"
type access-point
}
}
system {
[...]
wifi-regulatory-domain DE
}
To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (Bridge) on the system.
Intel AX200
The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:
set interfaces wireless wlan0 channel '1'
set interfaces wireless wlan0 country-code 'us'
set interfaces wireless wlan0 mode 'n'
set interfaces wireless wlan0 physical-device 'phy0'
set interfaces wireless wlan0 ssid 'VyOS'
set interfaces wireless wlan0 type 'access-point'