I was wondering if there’s a solution in VyOS to control broadcast/unknown unicast/multicast floods.
Storm control is something that would be done on your switch generally not the router. Is there a specific issue you are trying to solve?
In my case, the VyOS router is connected to multiple servers (through switches and GRETAP). Some switches are unmanaged as well unfortunately. I was hoping to ratelimit broadcast packets per port on VyOS and prevent further damage.
You could try looking through the docs for traffic policies and that may be able to limit some of the traffic that would have been forwarded through the layer 2 interfaces on the vyos box. Im honestly not sure if that will work on layer 2 interfaces though. It will probably require some trial and error.
https://docs.vyos.io/en/latest/configuration/trafficpolicy/index.html
2 Likes
Thank you, I’ll try this. It appears that there’s not really much implementation in linux for this. I’ll probably also mess with tc and see if I can get anything.
I think it could be filtered by nftable ,unfortunately , we have not implemented it yet, as we are currently in the process of rewriting the firewall. However, this chain is able to filter on l2 layer , which means you can handle it according to your requirements.
https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering
1 Like
Thank you very much for your reply. Could we expect this feature to be available in a future VyOS release by any chance?
1 Like
yes, also it should allow more complex rules and use all chains that can be to used on nftable ,but it’s a complex task. here we will share the progress on the rewrite:
1 Like
Thank you very much for the update. Looking forward to it!
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.