Preliminary version.
24.08.2023
Contents
Debug / Informational commands 3
Wireless and cellular interface related commands 6
DM VPN spoke, BGP and two L2TP connections secured by IPSec. 10
12.07.2023 — Sample config for DM VPN, L2TP and IPSec profiles is added.
02.08.2023 — Contents has been added.
23.08.2023 — SSTP mode for PPP connections has been added.
24.08.2023 - <show wireless interface ...> command is added.
** show wireless interface INTERFACE **
Show state and mode of wireless interface specified by name. Command is in enable mode. Requires privilege level at least 10.
All comands below are available in interface configuration mode.
O
verall interface commands
** use mode <l2tp|pptp|pppoe|sstp|ppp|cellular|qmi|cdc|gre|openvpn|ipsec|vxlan|xfrm|pppoa|pppoeoadsl|wireguard|ap|station|ad-hoc|repeater|monitor> **
Setup working mode for interface. Usually required for logical interfaces or as helper for using of hardware interfaces.
** use local WORD [peer <A.B.C.D|X:X::X:X|FQDN>] **
Use interface or device as underlay for logical interface. Remote side (IPv4, IPv6 addresses or FQDN) can be optionally specified.
** use peer <A.B.C.D|X:X::X:X|FQDN> **
Specify remote side (IPv4, IPv6 addresses or FQDN) for logical interface.
** use login NAME [second] **
Connection username or Login when required.
** no use login [second] **
Remove previously configured login.
** use key SECRET [second] **
Setup password, passphrase or key when required. Optional keyword «second» means to setup the same for second data connection through this interface.
** no use key [second] **
Remove password, passphrase or key when required. Optional keyword «second» means to setup the same for second data connection through this interface.
** use service-set WORD [second] **
Setup service set (SSID, APN and so on) for connection/interface. Second data connection can be specified.
** no use service-set [second] **
Reset service set for connection. Second data connection can be specified.
** use auth-type <none|auto|pap|chap|wep|wpa-psk|wpa2-psk|wpa3-psk|eap|8021x|pubkey> [second] **
Connection Parameters Auth-type No auth Automatic selection Cleartext Passphrase CHAP WiFI WEP WiFI WPA-PSK WiFI WPA2-PSK WiFI WPA3-PSK EAP with RADIUS backend IEEE 802.1X Public key For second connection
** no use auth-type [second] **
Reset authentication type for connection. Second data connection can be specified.
** no use <mode|local|peer|mtu|transport|policy|pin> **
Reset / clear some interface settings.
** use mtu (128-65536) **
Setup MTU for interface.
** no use mtu **
Reset fixed MTU size.
** member <bridge|bond> IFNAME **
Assign interface as a part of bridge or bonding.
** no member <bridge|bond|zone> **
Release interface from bridge, bonding or zone.
** ip address <dhcp|auto> [<backup|nodefaultroute|nopeerdns|nopeersettings>] **
Tell software to obtain IPv4 address from dhcp or as specified for this classs interfaces. Possible to specify what kind of settings from remote side to ignore.
** no ip address <dhcp|auto> **
Do not obtain IPv4 address in automtic manner.
** ip checkpoint A.B.C.D **
Setup remote IPv4 address to check link connectivity (to track it).
** no ip checkpoint **
Reset tracking IPv4 address.
** ip dhcp pool start A.B.C.D last A.B.C.D **
Enable DHCP server on this interface and specify address pool.
** no ip dhcp pool **
Disable DHCP server for interface and clear pool settings
** ipv6 dhcp pool first X:X::X:X last X:X::X:X **
Enable DHCP server on this interface and specify address pool.
** no ipv6 dhcp pool **
Disable DHCP server for interface and clear pool settings
** ipv6 address <dhcp|auto> [<backup|nodefaultroute|nopeerdns|nopeersettings>] **
Tell software to obtain IPv6 address from dhcp or as specified for this classs interfaces (e.g. SLAAC). Possible to specify what kind of settings from remote side to ignore.
** no ipv6 address <dhcp|auto> **
Do not obtain IPv6 address in automtic manner.
** ipv6 checkpoint X:X::X:X **
Setup remote IPv6 address to check link connectivity (to track it).
** no ipv6 checkpoint **
Reset tracking IPv6 address.
** hw-address WORD **
Specify MAC-address to use for interface (e.g. 00:01:02:03:04:05)
** no hw-address **
Reset / clear previously configured MAC-address
** proxy-arp on **
Enable ARP proxy.
** no proxy-arp **
Disable ARP proxy.
** use ppp-options encap <vc|llc> **
Setup PPP over ATM and ADSL encapsulation type VPI or VCI.
** use ppp-options <passthrough|sync|nobuff|relay|bcp|nomaclocal|notagged> **
Setup multiple boolean options for PPP-based connections / interfaces. E.g. BCP will enable transfer of Ethernet-frames through PPP link.
** use ppp-options <vpi|vci|multilink|segmentid> (0-65535) **
Setup some PPP options with numeric values. E.g. multilink option will enable using of Multilink PPP and setup MRRU in specified value.
** no use ppp-options <passthrough|multilink|sync|nobuff|relay|bcp|nomaclocal|notagged|vpi|vci|segmentid|encap> **
Remove specified PPP options.
** bridge <priority|forward-delay|hello-time> (0-2147483647) **
Setup bridge values like «priority» different than defaults.
** no bridge <priority|forward-delay|hello-time> **
Clear previously configured bridge values to defaults.
** bridge stp on **
Enable STP on the bridge.
** no bridge stp **
Disable STP on the bridge.
** use network-mode <auto|2g|3g|4g|5g|80211a|80211b|80211g|80211n|80211ac|80211ax> **
Selects specified network mode. E.g. 802.11ax for WiFi6 interfaces or 5g for 5g cellular connection. «Auto» permits to select reliable network mode by hardware.
** no use network-mode **
Remove / reset selected network mode.
** use cellular-band <gsm|3g|lte|5g> (1-65535) **
Latch to the specified cellular band. Has sense for cellular interfaces only. Must not be conflict with «use network-mode» setup.
** no use cellular-band <gsm|3g|lte|5g> (1-65535) **
Clear latching to any cellular band.
** use wireless <channel|power|gain|distance|sensetivity|tx-antenna|rx-antenna> (1-65535) **
Setup some WLAN related parameters like using channel, antenna gain, antenna pattern and so on.
** no use wireless <channel|power|gain|distance|sensetivity|tx-antenna|rx-antenna> **
Remove specified configuration value for WLAN interface.
** use pin (0-999999999999) **
Setup PIN-code for device / interface / connection.
** hide service-set **
Hide Service set in beacons.
** no hide service-set **
Do not iide Service set in beacons (Default behaivor for WLAN).
** use wireless <qos|tkip|wep|isolation|vlans|power-management|hotspot|fast-roaming|force-fast-roaming|hotspot-eap-tls|hotspot-eap-ttls|hotspot-eap-peap|hotspot-eap-sim> **
Enable to use various WLAN options like:
- QoS mode;
- Using of TKIP key management;
- Using of WEP;
- Isolate clients (for AP only);
- Assign dynamic VLANs (fpr AP only);
- Power management;
- Hotspot 2.0;
- Fast roaming;
- Force key management to FT only;
- Advertise EAP-TLS method for Hotspot 2.0;
- Advertise EAP-TTLS method for Hotspot 2.0;
- Advertise EAP-PEAP method for Hotspot 2.0;
- Advertise EAP-SIM method for Hotspot 2.0.
** no use wireless <qos|tkip|wep|isolation|vlans|power-management|hotspot|fast-roaming|force-fast-roaming|hotspot-eap-tls|hotspot-eap-ttls|hotspot-eap-peap|hotspot-eap-sim> **
Reset / clear WLAN related configuration options.
** use wireless connection limit (1-65536) **
Limit amount of connections to AP to specified value.
** no use wireless connection limit **
Reset / clear amount of simultaneous connections to AP.
** <permin|deny> hw-address WORD **
Add MAC-address to black or white list to control connection to AP. Actual for AP mode.
** no <permit|deny> hw-address **
Reset black or white list of MAC-addresses.
** use wireless ap hw-address WORD **
Setup AP MAC-address to connect e.g. 00:01:02:03:04:05.
** no use wireless ap hw-address **
Reset / clear MAC-address to connect to AP.
** use wireless power constraint (1-255) **
Enable power constraint for AP mode and setup constraint value in dBi.
** no use wireless power constraint **
Disable power constraint for AP mode.
** use wireless channel-width <20mhz|5mhz|10mhz|40mhz|ht-|ht+|80mhz|80+80mhz|160mhz|160+160mhz|320mhz|1_5mhz|2_5mhz> **
Specify required channel width. Should be reliable for existing hardware and network mode. E.g. Channel width 40Mhz, 20Mhz, 10Mhz, 5Mhz (for modes older than WiFI5 (802.11ac) and special radio cards); 40Mhz with controll channel under data (for WiFI4 (802.11n) mode and above); 40Mhz with controll channel above data (for WiFI4 (802.11n) mode and above); 80Mhz (for WiFI5 (802.11ac) mode and above); 80+80Mhz (for WiFI5 (802.11ac Wave2) mode and above; 160Mhz (for WiFI5 (802.11ac Wave2) mode and above; 160+160Mhz (for WiFI6E (802.11ax) mode and above/
** no use wireless channel-width **
Reset previously configured WLAN channel width.
** use wireless qos <background|best-effort|video|voice> <interfame|mincw|maxcw|bursting|acms> (0-65535) **
Setup Wireless Multimedia class and param like Interframe interval, Min contention window, Max contention window, Bursting time, ACMs number.
** no use wireless qos <background|best-effort|video|voice> <interframe|mincw|maxcw|bursting|acms> **
Reset Wireless Multimedia settings for specified class and param.
** use wireless <fast-roaming-domain|fast-roaming-key|fast-roaming-mac-list|hotspot-venue-name|hotspot-friendly-name|hotspot-mnc-mcc-list> WORD **
Setup various Hotspot 2.0 and Fast roaming settings like Mobility Domain (four hex digits), Roaming key (32 hex digits), Comma separated MAC list (e.g. 00:01:02:03:04:05,00:01:02:03:04:06), Hotspot 2.0 Venue Name, Hotspot 2.0 Friendly Name (comma separated list in diff languages), List of MNC,MCC pairs (e.g. MNC1,MCC1;MNC1,MCC2)
** no use wireless <fast-roaming-domain|fast-roaming-key|fast-roaming-mac-list|hotspot-venue-name|hotspot-friendly-name|hotspot-mnc-mcc-list> **
Reset / clear hotspot 2.0 and fast roaming settings
** use wireless hotspot-network-type <private|guest|chargeable|free> **
Specify hotspot 2.0 network type.
** no use wireless hotspot-network-type **
Reset WLAN hotspot 2.0 network type.
** use submode <tunnel|transport> **
Specify «tunnel» or «transport» mode.
** use policy <start|trap> **
Specify how to initiate tunnel. Immediately «start» or when matched traffic exists («trap»).
** no use ipsec <aggressive|mobike|multinet|stub|ikev1|ikev2|ikev1+v2> **
Clear / reset some IPSsec parameters.
** use ipsec <aggressive|mobike|multinet|stub> **
Setup to use some IPSec related things:
«aggressive» - enabled aggressive mode for IPSec.
«stub» - IPSec connection will be never up. Traffic will be excluded from policy.
«multinet» - allows to connect every network in left side to every network on right side.
** use ipsec <ikev1|ikev2|ikev1+v2> **
Specify what IKE version to use.
** use ipsec <inactivity|rekey|reauth> time (60-31536000) **
Setup various timeouts in seconds.
** no use ipsec <inactivity|rekey|reauth> time **
Clear /reset various timeouts to its defaults.
** use ipsec dead-peer <detection|delay> time (60-86400) **
Setup timeouts for dead-peer processing.
** no use ipsec dead-peer <detection|delay> time **
Clear /reset dead-peer timeouts to its defaults.
** use ipsec marker <incoming|outgoing> (1-65536) **
Match only marked traffic to IPSec.
** no use ipsec marker <incoming|outgoing> **
Do not match any marked traffic to IPSec.
** use ipsec reuse id (1-65536) **
Tell software to use specified ID.
** no use ipsec reuse id **
Do not use specified ID. Automatically assign it.
** use ipsec <first|second> phase ciphers WORD **
Specify cipher suite (cipher/hash/pfs) to use in first / second stages (e.g. AES128-GCM)
** no use ipsec <first|second> phase ciphers **
Reset cipher suite to default.
** use ipsec <local|remote> side port (1-65536) **
Use for IPSec udp or tcp traffic with specified source or destnation port.
** no use ipsec <local|remote> side port **
Reset port selection.
** use ipsec <local|remote> side <alias|network> WORD **
Setup local or remote alias or network (e.g. 192.168.25.1).
** no use ipsec <local|remote> side <alias|network> **
Reset / clear local or remote settings (alias or network) to default.
** use ipsec for protocol <icmp|tcp|udp|gre> **
Match protocol to use with IPSec. TCP and UDP allow to specify source or and (or) destination port(s).
** no use ipsec for protocol **
Reset / clear protocol settings to default.
IPSec profiles are ipsec-tun1 and ipsec-dmvpn.
frr version 8.1
frr defaults traditional
hostname netshe_3171772038
log syslog
nhrp nflog-group 1
!
time zone GMT0
time source pool.ntp.org
wlan country 00
start timeserver
start dns relay
start dhcp server
start ip firewall
start ipv6 firewall
start ssh
start http
!
aaa
server radius 127.0.0.1 key testing123
exit
!
!
dns
searchdomain localdomain
bind forwarder to zone Lan
exit
!
!
dhcp
lease time default 7200
lease time max 86400
exit
!
!
ip firewall
input policy deny
output policy permit
forward policy permit
drop invalid
syn flood protect rate 25 burst 50
exit
!
!
ipv6 firewall
input policy deny
output policy permit
forward policy permit
drop invalid
syn flood protect rate 25 burst 50
exit
!
!
zone Lan
interface br0
interface aeql
interface lo1
!
ip firewall
input policy permit
forward policy permit
output policy permit
fix mss output to Wan
easy napt output to Wan
exit
!
!
ipv6 firewall
input policy permit
forward policy permit
output policy permit
fix mss output to Wan
easy napt output to Wan
exit
!
exit
!
!
zone Wan
interface eth0
!
ip firewall
input policy deny
forward policy permit
output policy permit
fix mss output to Lan
rule permit icmp source 0.0.0.0 mask 0 destination 0.0.0.0 mask 0
rule permit tcp source 0.0.0.0 mask 0 destination 0.0.0.0 mask 0 port 443
rule permit tcp source 0.0.0.0 mask 0 destination 0.0.0.0 mask 0 port 444
exit
!
!
ipv6 firewall
input policy deny
forward policy permit
output policy permit
fix mss output to Lan
rule permit icmp source :: mask 0 destination :: mask 0
rule permit tcp source :: mask 0 destination :: mask 0 port 443
rule permit tcp source :: mask 0 destination :: mask 0 port 444
exit
!
exit
!
!
zone Dmz
!
ip firewall
input policy deny
forward policy permit
output policy permit
exit
!
!
ipv6 firewall
input policy deny
forward policy permit
output policy permit
exit
!
exit
!
!
debug nhrp common
!
interface aeql
ip address 169.254.255.255/32
exit
!
interface br0
bridge stp on
ip dhcp pool start 192.168.1.30 last 192.168.1.245
exit
!
interface eth0
ip address dhcp
ipv6 address dhcp
exit
!
interface eth1
member bridge br0
exit
!
interface ipsec-dmvpn
use auth-type pap
use ipsec first phase ciphers -
use ipsec for protocol gre
use ipsec ikev2
use ipsec local side alias 172.16.0.1
use ipsec reauth time 86400
use ipsec rekey time 28800
use ipsec second phase ciphers -
use key 1234567890
use mode ipsec
use peer %any
use policy trap
use submode transport
exit
!
interface ipsec-tun1
use auth-type pap
use ipsec first phase ciphers -
use ipsec for protocol udp
use ipsec ikev2
use ipsec reauth time 86400
use ipsec rekey time 28800
use ipsec remote side port 1701
use ipsec second phase ciphers aes256gcm128
use key 1234567890
use local Wan
use mode ipsec
use peer 192.168.26.201
use policy trap
use submode transport
exit
!
interface l2tp1
ip address auto
member bond aeql
use key test
use login test
use mode l2tp
use peer 151.106.24.26
exit
!
interface l2tp2
ip address auto
member bond aeql
use key test
use login test
use mode l2tp
use peer 151.106.24.27
exit
!
interface lo1
ip address 169.254.255.254/32
exit
!
interface wlan0
hide service-set
member bridge br0
no use wireless tkip
use auth-type wpa3-psk
use key 1234567890
use mode ap
use network-mode 80211n
use service-set MyNETWORK
use wireless channel 1
use wireless channel-width 20mhz
use wireless connection limit 20
use wireless distance 900
use wireless gain 13
use wireless power 20
use wireless power constraint 20
use wireless qos
use wireless rx-antenna 11
use wireless tx-antenna 11
exit
!
interface xdmvpn.auto.1
ip nhrp network-id 1
ip nhrp redirect
ip nhrp registration no-unique
ip nhrp shortcut
tunnel protection vici profile ipsec-dmvpn
tunnel source eth0
exit
!
router bgp 65000
bgp router-id 172.16.0.1
no bgp ebgp-requires-policy
bgp deterministic-med
no bgp network import-check
timers bgp 20 60
neighbor spokes-ibgp peer-group
neighbor spokes-ibgp remote-as 65000
neighbor spokes-ibgp passive
neighbor spokes-ibgp disable-connected-check
neighbor spokes-ibgp advertisement-interval 1
!
address-family ipv4 unicast
network 172.16.0.0/23
redistribute nhrp
neighbor spokes-ibgp route-reflector-client
neighbor spokes-ibgp next-hop-self force
neighbor spokes-ibgp soft-reconfiguration inbound
exit-address-family
exit
!