How to set net.ipv6.neigh.etha/b.base_reachable_time in vyos

canoziia · April 22, 2024, 12:26pm

Hello,
I use the command

set interfaces ethernet etha vif b ip arp-cache-timeout 14400

to set net.ipv4.neigh.etha/b.base_reachable_time, but I can’t find the corrosponding command to set base_reachable_time on ipv6.
set system sysctl parameter ... works for me, but when I restart vyos, it always says “There was a config error on boot” and delete the commands in router configuration.
How can I do it properly? Thanks!

Apachez · April 22, 2024, 2:14pm

You can search for available kernel settings with:

sudo sysctl -a | grep -i reachable

And if output is lets say:

net.ipv6.neigh.default.base_reachable_time_ms = 30000
net.ipv6.neigh.eth0.base_reachable_time_ms = 30000

You can then adjust this in VyOS 1.4 or newer with:

set system sysctl parameter net.ipv6.neigh.default.base_reachable_time_ms value '240000'
set system sysctl parameter net.ipv6.neigh.eth0.base_reachable_time_ms value '240000'

Generally speaking I would recommend to set ARP and NDP to 240 seconds (4 min) which should be smaller than the MAC timeout (which normally is 300 seconds aka 5 min):

set interfaces ethernet eth0 ip arp-cache-timeout '240'
set interfaces ethernet eth1 ip arp-cache-timeout '240'
set interfaces ethernet eth2 ip arp-cache-timeout '240'

canoziia · April 22, 2024, 4:38pm

Hello, some internet exchanges require 4 hours arp/ndp cache time, so I set it in correspond interface.

I need to set base_reachable_time on eth3 vif 2, and using this command

set system sysctl parameter net.ipv6.neigh.eth3/2.base_reachable_time_ms value 14400000

this returns no error when I commit changes, but when I reboot my router, it will say "There was a config error on boot” and delete the commands in router configuration. Maybe it is a bug?

Apachez · April 22, 2024, 4:43pm

What is the output of this command before and after you try to set this through VyOS config (without reboot in between)?

sudo sysctl -a | grep -i base_reachable_time_ms

canoziia · April 22, 2024, 4:55pm

net.ipv6.neigh.eth3.base_reachable_time_ms = 14400000
net.ipv6.neigh.eth3/2.base_reachable_time_ms = 14400000
net.ipv6.neigh.eth3/3.base_reachable_time_ms = 14400000

If without reboot it works well.

L0crian · April 22, 2024, 5:03pm

The set system sysctl parameter net.ipv6.neigh.eth3/2.base_reachable_time_ms value 14400000 is attempting to be applied before the sub-interface is actually created. There’s a number of race conditions on boot like this that are causing issues right now. You can add the commands to the: “vyos-postconfig-bootup.script” to ensure it is applied. You’ll still have the “There was a config error on boot” error, but it’ll just be cosmetic at that point.

Apachez · April 22, 2024, 5:30pm

I threw this in as a feature request over at:

https://vyos.dev/T6258

In the meantime use the method suggested by @L0crian with “/config/scripts/vyos-postconfig-bootup.script”.

See the manual for more information: Command Scripting — VyOS 1.5.x (circinus) documentation

Apachez · April 23, 2024, 9:12am

@canoziia There are some questions in the task I created over at vyos.dev.

Could you please provide a running-config from your setup?

Something like the output of:

show config commands | strip-private

canoziia · April 23, 2024, 6:16pm

Hello, I have created a new VM to test the simplest configurations that can reproduce this problem. But now I can’t reproduce it in new VM, while my router always show this error message when I reboot it. I will continue to try new configurations and will notify you as soon as I can reproduce it.
This is config of my router:

vyos@core-mci-us:~$ show config commands | strip-private
set firewall ipv4 forward filter rule 100 action 'drop'
set firewall ipv4 forward filter rule 100 description 'Drop SIX subnets access by others'
set firewall ipv4 forward filter rule 100 destination address 'xxx.xxx.80.0/22'
set firewall ipv4 forward filter rule 100 outbound-interface name 'eth3*'
set firewall ipv6 forward filter rule 100 action 'drop'
set firewall ipv6 forward filter rule 100 description 'Drop SIX subnets access by others'
set firewall ipv6 forward filter rule 100 destination address 'xxxx:xxxx:16::/48'
set firewall ipv6 forward filter rule 100 outbound-interface name 'eth3*'
set interfaces ethernet eth0 address 'xxx.xxx.181.234/29'
set interfaces ethernet eth0 address 'xxxx:xxxx:700F:1::9/127'
set interfaces ethernet eth0 description 'Transit: INCX'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:e3'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth1 address 'xxx.xxx.32.1/24'
set interfaces ethernet eth1 address 'xxxx:xxxx:131:32::1/64'
set interfaces ethernet eth1 description 'Lan: Local'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:2b'
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
set interfaces ethernet eth1 vif 200 address 'xxx.xxx.23.1/24'
set interfaces ethernet eth1 vif 200 address 'fe80::1/64'
set interfaces ethernet eth1 vif 200 description 'Downstream: Customer-Lan'
set interfaces ethernet eth2 address 'xxx.xxx.7.241/24'
set interfaces ethernet eth2 address 'xxxx:xxxx:1B:1::241/64'
set interfaces ethernet eth2 description 'IX: KCIX'
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:42'
set interfaces ethernet eth2 offload gro
set interfaces ethernet eth2 offload gso
set interfaces ethernet eth2 offload sg
set interfaces ethernet eth2 offload tso
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:f0'
set interfaces ethernet eth3 ip arp-cache-timeout '14400'
set interfaces ethernet eth3 ip enable-arp-announce
set interfaces ethernet eth3 mtu '9000'
set interfaces ethernet eth3 offload gro
set interfaces ethernet eth3 offload gso
set interfaces ethernet eth3 offload sg
set interfaces ethernet eth3 offload tso
set interfaces ethernet eth3 vif 2 address 'xxx.xxx.80.126/23'
set interfaces ethernet eth3 vif 2 address 'xxxx:xxxx:16::6b83/64'
set interfaces ethernet eth3 vif 2 description 'IX: SIX'
set interfaces ethernet eth3 vif 2 ip arp-cache-timeout '14400'
set interfaces ethernet eth3 vif 2 ip enable-arp-announce
set interfaces ethernet eth3 vif 2 mtu '1500'
set interfaces ethernet eth3 vif 3 address 'xxx.xxx.82.126/23'
set interfaces ethernet eth3 vif 3 address 'xxxx:xxxx:16:1::6b83/64'
set interfaces ethernet eth3 vif 3 description 'IX: SIX jumbo'
set interfaces ethernet eth3 vif 3 ip arp-cache-timeout '14400'
set interfaces ethernet eth3 vif 3 ip enable-arp-announce
set interfaces ethernet eth3 vif 3 mtu '9000'
set interfaces ethernet eth4 address 'xxx.xxx.184.1/24'
set interfaces ethernet eth4 address 'xxxx:xxxx:131::1/64'
set interfaces ethernet eth4 address 'xxxx:xxxx::1/64'
set interfaces ethernet eth4 description 'Lan: withPublicIP'
set interfaces ethernet eth4 hw-id 'xx:xx:xx:xx:xx:f7'
set interfaces loopback lo
set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 source address 'xxx.xxx.32.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 105 outbound-interface name 'eth2'
set nat source rule 105 source address 'xxx.xxx.32.0/24'
set nat source rule 105 translation address 'xxx.xxx.184.1'
set nat source rule 110 outbound-interface name 'eth3*'
set nat source rule 110 source address 'xxx.xxx.32.0/24'
set nat source rule 110 translation address 'xxx.xxx.184.1'
# I deleted bgp config because it is too long and I think not important
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.181.233 interface 'eth0'
set protocols static route xxx.xxx.184.0/24 interface eth4
set protocols static route6 xxxx:xxxx:131::/48 reject
set protocols static route6 xxxx:xxxx::/48 reject
set service dhcp-server listen-interface 'eth1'
set service dhcp-server shared-network-name xxxxxx option domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx option domain-search xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.32.0/24 option default-router 'xxx.xxx.32.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.32.0/24 option name-server 'xxx.xxx.1.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.32.0/24 range 0 start 'xxx.xxx.32.101'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.32.0/24 range 0 stop 'xxx.xxx.32.199'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.32.0/24 subnet-id '1'
set service dns forwarding allow-from 'xxx.xxx.32.0/24'
set service dns forwarding dnssec 'process'
set service dns forwarding listen-address 'xxx.xxx.32.1'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/0'
set service ntp allow-client xxxxxx '::/0'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service router-advert interface eth1 name-server 'xxxx:xxxx:4700::1111'
set service router-advert interface eth1 prefix ::/64
set service router-advert interface eth4 name-server 'xxxx:xxxx:4700::1111'
set service router-advert interface eth4 prefix xxxx:xxxx:131::/64
set service snmp listen-address xxx.xxx.32.1
set service snmp location xxxxxx
set service snmp v3 engineid '000000000000192168032001'
set service snmp v3 group default mode 'ro'
set service snmp v3 group default view 'default'
set service snmp v3 user xxxxxx auth encrypted-password xxxxxx
set service snmp v3 user xxxxxx auth type 'sha'
set service snmp v3 user xxxxxx group 'default'
set service snmp v3 user xxxxxx privacy encrypted-password xxxxxx
set service snmp v3 user xxxxxx privacy type 'aes'
set service snmp v3 view default oid 1
set service ssh disable-password-authentication
set service ssh dynamic-protection
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system flow-accounting disable-imt
set system flow-accounting enable-egress
set system flow-accounting interface 'eth0'
set system flow-accounting interface 'eth1.200'
set system flow-accounting interface 'eth2'
set system flow-accounting interface 'eth3.2'
set system flow-accounting interface 'eth3.3'
set system flow-accounting sflow sampling-rate '1000'
set system flow-accounting sflow server xxxxx.tld port '6343'
set system frr bmp
set system host-name xxxxxx
set system ip protocol bgp route-map 'SET-SRC'
set system ipv6 protocol bgp route-map 'SET-SRC'
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type ssh-xxx
set system name-server 'xxx.xxx.1.1'
set system sysctl parameter net.ipv6.neigh.eth3.base_reachable_time_ms value '14400000'
set system sysctl parameter net.ipv6.neigh.eth3/2.base_reachable_time_ms value '14400000'
set system sysctl parameter net.ipv6.neigh.eth3/3.base_reachable_time_ms value '14400000'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set system task-scheduler task update-bgp executable path '/config/myapp/update-bgp.sh'
set system task-scheduler task update-bgp interval '12h'
set system time-zone 'Asia/Shanghai'
set system update-check auto-check
set system update-check url xxxxxx
vyos@core-mci-us:~$