I am prepping a VyOS firewall to replace my OPNsense. I am working on the DHCP server part of 1.4 branch and got this message after configuring the DHCP option 43 for access points.
DEPRECATION WARNING: Additional global parameters are subject of
removal in VyOS 1.5! Please raise a feature request for proper CLI
nodes!
DEPRECATION WARNING: Additional subnet parameters in "10.0.6.0/24" are
subject of removal in VyOS 1.5! Please raise a feature request for
proper CLI nodes!
The syntax in questions are:
set service dhcp-server global-parameters 'option option43 code 43 = string;'
set service dhcp-server shared-network-name access-points subnet 10.0.6.0/24 subnet-parameters 'option option43 E0:0E:31:30:2E:30:2E:37:2E:38:3A:31:30:30:31:34;'
The vendor is Grandstream. What needs to happen is the access points need DHCP option 224 and option 43. The 224 need to be in HEX which is E0. The 0E is the length which is the number of characters in ip-address:port (e.g. 10.0.7.8:10014) which in my case is 14 characters. The 0 in 0E is just a padding just in case of single HEX character output value (e.g. 14 == E). The rest of the string is the ip-address:port (10.0.7.8:10014). This is done by converting the ASCII to HEX.
Then by combining option 224 + character length + ip-addr:port you’ll get the string that need to be encapsulated by DHCP option 43. In my case, my string is “E0:0E:31:30:2E:30:2E:37:2E:38:3A:31:30:30:31:34”
I checked the docs and didn’t find a newer way to do option 43.
Is there a newer way to do option 43?
I have a question about the new way of writing the zone base rulesets. I have this rules for the forward chain.
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter default-log
set firewall ipv4 forward filter rule 1 action 'drop'
set firewall ipv4 forward filter rule 1 log
set firewall ipv4 forward filter rule 1 state 'invalid'
set firewall ipv4 forward filter rule 2 action 'accept'
set firewall ipv4 forward filter rule 2 state 'established'
set firewall ipv4 forward filter rule 3 action 'accept'
set firewall ipv4 forward filter rule 3 state 'related'
set firewall ipv4 forward filter rule 3010 action 'jump'
set firewall ipv4 forward filter rule 3010 description 'trust to management'
set firewall ipv4 forward filter rule 3010 inbound-interface group 'trust'
set firewall ipv4 forward filter rule 3010 jump-target 'trust_to_management'
set firewall ipv4 forward filter rule 3010 outbound-interface group 'management'
It should jump to this ruleset.
set firewall ipv4 name trust_to_management rule 3010 action 'accept'
set firewall ipv4 name trust_to_management rule 3010 destination group network-group 'management'
set firewall ipv4 name trust_to_management rule 3010 destination group port-group 'management'
set firewall ipv4 name trust_to_management rule 3010 protocol 'tcp'
set firewall ipv4 name trust_to_management rule 3010 source group network-group 'trust'
The question that I have about the zone base is do I need to add the state rules 1, 2, and 3 to the jumped rule trust_to_management?
In the past the regular/old way of zone-base there is a state-policy that can be globally enabled. The command is still available, but not sure if this is part of the new way. I like the new way of doing the rulesets, but not sure how to handle the states.
The global command I was talking about is this:
set firewall global-options state-policy
Possible completions:
> established Global firewall policy for packets part of an established
connection
> invalid Global firewall policy for packets part of an invalid connection
> related Global firewall policy for packets part of a related connectio