WLAN/WIFI - Wireless LAN
The WLAN interface provides 802.11 (a/b/g/n/ac) wireless support (commonly referred to as Wi-Fi) by means of compatible hardware. If your hardware supports it, VyOS supports multiple logical wireless interfaces per physical device.
There are three modes of operation for a wireless interface:
WAP mode provides network access to connecting stations if the physical hardware supports acting as a WAP
Station mode acts as a Wi-Fi client accessing the network through an available WAP
Monitor mode lets the system passively monitor wireless traffic
If the system detects an unconfigured wireless device, it will be automatically added the configuration tree, specifying any detected settings (for example, its MAC address) and configured to run in monitor mode.
Configuration
Common interface configuration
Configure the interface with one or more IP addresses.
The following options are available:
address: Assign one or more IPv4 or IPv6 addresses to the interface. For example, use 192.0.2.1/24 for IPv4 or 2001:db8::1/64 for IPv6.
dhcp: The interface obtains an IPv4 address from a DHCP server on the same network segment.
dhcpv6: The interface obtains an IPv6 address from a DHCPv6 server on the same network segment.
Note
If the interface obtains an IPv4 address via DHCP, and specific adjustments are needed before/after the IP address is obtained, use the provided hook scripts:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces wireless wlan0 address 192.0.2.1/24
set interfaces wireless wlan0 address 2001:db8::1/64
set interfaces wireless wlan0 address dhcp
set interfaces wireless wlan0 address dhcpv6
Configure a clear, descriptive alias for the interface.
This alias appears in the show interfaces command and SNMP-based
monitoring tools.
Example:
set interfaces wireless wlan0 description 'This is an interface running on VyOS.'
Disable the interface.
The interface will be set to the administratively down
(A/D) state.
Example:
set interfaces wireless wlan0 disable
Disable Ethernet flow control (IEEE 802.3x pause frames) on the interface.
Ethernet flow control, defined by the IEEE 802.3x standard, temporarily stops data transmission to prevent packet loss during network congestion. For example, when a sender transmits data faster than the receiver can process it.
Disabling Ethernet flow control means the interface will not signal the connected device to pause transmission and will drop packets if overwhelmed.
Example:
set interfaces wireless wlan0 disable-flow-control
Disable physical link-state change detection on the interface, such as when a cable is unplugged.
By default, the interface detects physical link-state changes.
Example:
set interfaces wireless wlan0 disable-link-detect
Configure a custom MAC address on the interface.
Example:
set interfaces wireless wlan0 mac '00:53:01:02:03:04'
Configure the MTU on the interface.
This value defines the largest packet size, in bytes, that the interface transmits without fragmentation.
Example:
set interfaces wireless wlan0 mtu 1600
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues that occur when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Sets the MSS to a specific value, in bytes. Use this option if you need to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router automatically calculates the MSS to be the interface’s MTU minus 40 bytes for IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure how long an ARP entry remains valid after learning an IP-to-MAC address mapping on this interface.
The default duration is 30 seconds.
An ARP entry remains valid if it receives positive feedback from higher-level protocols.
Example:
set interfaces wireless wlan0 ip arp-cache-timeout 180
Configure ARP filtering on this interface.
Default behavior: The kernel responds to ARP requests on this interface only if the traffic would be routed back to the ARP sender through that specific interface.
If configured: The kernel responds to ARP requests on this interface for any IP address configured on the local host, regardless of which specific interface that IP address is assigned to, and regardless of the routing table. This reflects the Linux concept that IP addresses belong to the host, not individual interfaces.
Example:
set interfaces wireless wlan0 ip disable-arp-filter
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv4 forwarding is disabled on it.
Example:
set interfaces wireless wlan0 ip disable-forwarding
Configure whether to forward IP-directed broadcast packets received on this interface.
Default behavior: IP-directed broadcast packets are dropped.
If configured: IP-directed broadcast packets are forwarded to all hosts on the destination subnet, as defined in RFC 1812 and RFC 2644.
Example:
set interfaces wireless wlan0 ip enable-directed-broadcast
Configure how to process gratuitous ARPs on this interface.
If configured, an IP-to-MAC address mapping is added to the ARP table based on gratuitous ARP requests or replies.
Note
If the ARP table already contains the IP address from a gratuitous ARP, its entry is updated regardless of whether this setting is configured.
Example:
set interfaces wireless wlan0 ip enable-arp-accept
Configure the source IP selection for ARP requests on this interface.
Default behavior: The kernel can use any IP address the host owns as the source IP address in ARP requests on this interface.
If configured: The kernel first attempts to select a source IP address configured on the interface that shares a common subnet with the target IP address. If there is no such subnet, the kernel selects the IP address it would normally use (based on the routing table to reach the target destination).
Example:
set interfaces wireless wlan0 ip enable-arp-announce
Configure which ARP requests will be ignored on this interface.
Default behavior: The kernel responds to ARP requests for any local IP addresses, regardless of which interface they are assigned to.
If configured: The kernel responds to ARP requests only if the target IP address is assigned to this specific interface.
Example:
set interfaces wireless wlan0 ip enable-arp-ignore
Configure proxy ARP on this interface.
If configured, the router (kernel) intercepts ARP requests for non-local IP addresses and replies with the MAC address of the interface that received the request. Subsequent packets destined to these IP addresses are forwarded to their actual destinations on remote subnets.
Example:
set interfaces wireless wlan0 ip enable-proxy-arp
Configure local proxy ARP on the interface.
If configured, the router (kernel) responds to ARP requests on this VLAN interface even if the target IP address resides on the same subnet and interface.
This is used to support network isolation requirements (RFC 3069) for private VLANs (PVLANs). In PVLAN configurations, hosts on isolated ports are NOT allowed to communicate directly with each other at Layer 2, but they can communicate with the upstream router.
By replying to inter-host ARP requests with its own MAC address, the router (kernel) directs inter-host traffic through itself instead of directly between hosts.
Note
This command works independently and does not require enabling the standard proxy ARP on the interface.
Local proxy ARP is also known as:
VLAN aggregation (RFC 3069).
Private VLAN (Cisco, Allied Telesyn).
Source-port filtering or port isolation (Hewlett-Packard).
MAC-Forced Forwarding (Ericsson).
Configure source IP address validation using RPF on this interface, as specified in RFC 3704.
The following options are available:
strict: Each incoming packet’s source IP address is checked against the Forwarding Information Base (FIB). If the interface is not the best route back to that source, validation fails, and the packet is dropped.
loose: Each incoming packet’s source IP address is checked against the FIB. If the source IP address is unreachable through any interface, validation fails.
disable: No source IP address validation is performed. All incoming packets are accepted.
RFC 3704 recommends enabling strict mode to prevent IP spoofing, such as DDoS attacks. For asymmetric or other complex routing scenarios, use loose mode.
Configure the interface to automatically obtain an IPv6 address using SLAAC, as specified in RFC 4862.
IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. The router responds with a router advertisement packet containing Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface.
Example:
set interfaces wireless wlan0 ipv6 address autoconf
Configure the interface to assign itself an IPv6 address using the EUI-64 method, as specified in RFC 4291.
Example:
set interfaces wireless wlan0 ipv6 address eui64 2001:db8:beef::/64
Disable the automatic assignment of a link-local IPv6 address to this interface.
Example:
set interfaces wireless wlan0 ipv6 address no-default-link-local
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv6 forwarding is disabled on it.
Example:
set interfaces wireless wlan0 ipv6 disable-forwarding
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Set the MSS to a specific value, in bytes. Use this option to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router calculates the MSS to be the interface’s MTU minus 60 bytes for IPv6 traffic (40 bytes for the IPv6 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure IPv6 DAD on the interface.
The following options are available:
0: Disables DAD. No duplicate address detection is performed.
1: Enables DAD (default). Duplicate addresses are detected. The interface’s IPv6 operation continues for valid IPv6 addresses.
2: Enables DAD and, if a MAC-based duplicate link-local address is found, disables IPv6 operation on this interface.
Example:
set interfaces wireless wlan0 ipv6 accept-dad 2
Configure the number of DAD messages that the router (kernel) sends during IPv6 address assignment on this interface.
The default value is 1.
Example:
set interfaces wireless wlan0 ipv6 dup-addr-detect-transmits 5
Assign the interface to a specific VRF instance.
See also
For information on configuring a VRF, refer to the VRF section.
Example:
set interfaces wireless wlan0 vrf red
DHCP(v6)
Configure a DHCP client identifier for the interface, as specified in RFC 2131.
The client-id is an identifier that the DHCP client sends to the DHCP
server to uniquely identify itself for IP address assignment. By default,
the client uses its MAC address. The <description> is a user-defined
string that will be sent to the DHCP server as the DHCP client identifier.
Example:
set interfaces wireless wlan0 dhcp-options client-id 'foo-bar'
Configure a specific hostname for the interface.
Instead of the real hostname, the DHCP client will send the specific hostname to the DHCP server when requesting an IP address.
Example:
set interfaces wireless wlan0 dhcp-options host-name 'VyOS'
Configure the DHCP client to include a vendor-class identifier in its DHCP requests on this interface.
The vendor-class identifier is a vendor-specific byte string that enables the DHCP server to identify the device and, in some cases, provide configuration options.
Example:
set interfaces wireless wlan0 dhcp-options vendor-class-id 'VyOS'
Configure the DHCP client to obtain an IP address, but ignore any default gateway provided by the DHCP server on this interface.
Example:
set interfaces wireless wlan0 dhcp-options no-default-route
Configure the distance for the default route obtained from the DHCP server on this interface.
Example:
set interfaces wireless wlan0 dhcp-options default-route-distance 220
Configure the DHCP client to reject the specific IP address or IP address range from the DHCP server on this interface.
This is useful when a modem assigns a local IP address upon start. To reject multiple addresses, run this command multiple times with different values. You can reject individual addresses (192.168.100.1) or entire subnets (192.168.100.0/24).
Example:
set interfaces wireless wlan0 dhcp-options reject 192.168.100.0/24
Configure the DHCP client to send a specific user-class identifier in its DHCP requests on this interface.
The DHCP server can interpret this identifier and provide specific configuration options based on it (for example, default routes). The user-class value typically groups DHCP clients with similar configuration needs (for example, employees, guests, or printers).
Example:
set interfaces wireless wlan0 dhcp-options user-class VyOS
Configure a specific DUID for the DHCPv6 client on this interface.
The DUID is an identifier used by a DHCPv6 client to get an IPv6 address from a DHCPv6 server. It consists of a 2-byte type field, followed by a variable-length identifier field up to 128 bytes. The format of the identifier part depends on the DUID type:
DUID-LLT: The most common type, which includes a hardware type, a timestamp, and a MAC address.
DUID-EN: Is based on a vendor’s enterprise number and a unique identifier assigned by the vendor.
DUID-LL: Includes only a MAC address.
The DHCP server matches the DUID against its database and provides configuration data (such as address, lease times, DNS servers, etc.) to the DHCP client.
Example:
set interfaces wireless wlan0 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
Configure the DHCP client not to send a release message when it stops running on this interface.
This helps retain the assigned address or prefix.
Example:
set interfaces wireless wlan0 dhcpv6-options no-release
Enable a stateless DHCPv6 client mode on this interface.
In stateless mode, the DHCPv6 client requests only stateless configuration parameters from the DHCP server (for example, DNS server addresses). It doesn’t request a stateful configuration, such as IPv6 addresses or prefixes.
Example:
set interfaces wireless wlan0 dhcpv6-options parameters-only
Enable DHCPv6 rapid commit on this interface.
When enabled, the DHCP client and server skip the negotiation steps (Advertise and Request), completing the DHCPv6 configuration process in just two messages (Solicit and final Reply).
Example:
set interfaces wireless wlan0 dhcpv6-options rapid-commit
Configure the DHCPv6 client to request a temporary IPv6 address on this interface.
When configured, the DHCP client doesn’t form an Identity Association for Non-temporary Addresses (IA_NA) partnership. Consequently, it only obtains a temporary IPv6 address and doesn’t obtain a permanent one.
Example:
set interfaces wireless wlan0 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS supports DHCPv6 Prefix Delegation (DHCPv6-PD) as described in RFC 3633. DHCPv6-PD is supported by most ISPs that provide native IPv6 for consumers on fixed networks.
Configure a specific prefix length for DHCPv6-PD requests on this interface.
Some ISPs provide only a /64 prefix by default. Use this command to request a different prefix length for a specific DHCPv6-PD request, ranging from /32 (if allowed by your ISP) down to /64. <id> is a unique identifier for the DHCPv6-PD request.
The default value is 64.
To request a /56 prefix from your ISP, use:
set interfaces wireless wlan0 dhcpv6-options pd 0 length 56
Configure the IPv6 interface identifier (host portion) for the delegatee interface.
The value must be a decimal integer. It is appended to the delegated prefix and the configured SLA ID to form the final IPv6 address.
By default, the host portion is generated based on the parent interface’s MAC address (EUI-64 format).
Example:
If a /64 prefix is delegated to interface eth8 and you configure the host portion as 65535, the resulting IPv6 address will end with ::ffff, as 65535 corresponds to ffff in hexadecimal notation.
set interfaces wireless wlan0 dhcpv6-options pd 0 interface eth8 address 65534
Configure the SLA ID for the delegatee interface.
The value must be a decimal integer greater than 0 and fit in the length of SLA IDs. It is converted to hexadecimal and appended to the delegated prefix to form the specific subnet prefix for the delegatee interface.
Example:
If SLA ID is 1 and the delegated prefix is 2001:db8:ffff::/48, the
resulting subnet prefix for the delegatee interface will be
2001:db8:ffff:1::/64.
set interfaces wireless wlan0 dhcpv6-options pd 0 interface eth8 sla-id 1
System Wide configuration
Wireless options
Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed to indicate country in which the box is operating. This can limit available channels and transmit power.
Note
This option is mandatory in Access-Point mode.
Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n/ax) channels range from 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 177. On 6GHz (802.11 ax) channels range from 1 to 233.
Send empty SSID in beacons and ignore probe request frames that do not specify full SSID, i.e., require stations to know the SSID.
Disassociate stations based on excessive transmission failures or other indications of connection loss.
This depends on the driver capabilities and may not be available with all drivers.
Client isolation can be used to prevent low-level bridging of frames between associated stations in the BSS.
By default, this bridging is allowed.
Maximum number of stations allowed in station table. New stations will be rejected after the station table is full. IEEE 802.11 has a limit of 2007 different association IDs, so this number should not be larger than that.
This defaults to 2007.
Management Frame Protection (MFP) according to IEEE 802.11w
Note
MFP is required for WPA3.
Beacon Protection: management frame protection for Beacon frames.
Note
This option requires MFP to be enabled.
Operation mode of wireless radio.
a- 802.11a - 54 Mbits/secb- 802.11b - 11 Mbits/secg- 802.11g - 54 Mbits/sec (default)n- 802.11n - 600 Mbits/secac- 802.11ac - 1300 Mbits/secax- 802.11ax - exceeds 1GBit/sec
Note
In VyOS, 802.11ax is only implemented for 2.4GHz and 6GHz.
Wireless hardware device used as underlay radio.
This defaults to phy0.
Adds the Power Constraint information element to Beacon and Probe Response frames.
This option adds the Power Constraint information element when applicable and the Country information element is configured. The Power Constraint element is required by Transmit Power Control.
Valid values are 0..255.
Wireless device type for this interface
access-point- Access-point forwards packets between other nodesstation- Connects to another access pointmonitor- Passively monitor all packets on the frequency/channel
Enable threaded mode for all NAPI instances of the specified network device.
Enabling threaded mode doesn’t affect device operation and can be done while the device is up.
This mode is disabled by default.
Example:
set interfaces wireless wlan0 per-client-thread
PPDU
HT (High Throughput) capabilities (802.11n)
Configuring HT mode options is required when using 802.11n or 802.11ax at 2.4GHz.
Device is incapable of 40 MHz, do not advertise. This sets [40-INTOLERANT]
WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
Supported channel width set.
ht20- 20 MHz channel widthht40-- Both 20 MHz and 40 MHz with secondary channel below the primary channelht40+- Both 20 MHz and 40 MHz with secondary channel above the primary channel
Note
There are limits on which channels can be used with HT40- and HT40+. Following table shows the channels that may be available for HT40- and HT40+ use per IEEE 802.11n Annex J:
Depending on the location, not all of these channels may be available for use!
freq HT40- HT40+
2.4 GHz 5-13 1-7 (1-9 in Europe/Japan)
5 GHz 40,48,56,64 36,44,52,60
Note
40 MHz channels may switch their primary and secondary channels if needed or creation of 40 MHz channel maybe rejected based on overlapping BSSes. These changes are done automatically when hostapd is setting up the 40 MHz channel.
Enable HT-delayed Block Ack [DELAYED-BA]
DSSS/CCK Mode in 40 MHz, this sets [DSSS_CCK-40]
This enables the greenfield option which sets the [GF] option
Enable L-SIG TXOP protection capability
Maximum A-MSDU length 3839 (default) or 7935 octets
Short GI capabilities for 20 and 40 MHz
Spatial Multiplexing Power Save (SMPS) settings
Enable receiving PPDU using STBC (Space Time Block Coding)
VHT (Very High Throughput) capabilities (802.11ac)
Set if antenna pattern does not change during the lifetime of an association
Beamforming capabilities:
single-user-beamformer- Support for operation as single user beamformersingle-user-beamformee- Support for operation as single user beamformeemulti-user-beamformer- Support for operation as multi user beamformermulti-user-beamformee- Support for operation as multi user beamformee
VHT operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)
VHT operating channel center frequency - center freq 2 (for use with the 80+80 mode)
<number> must be from 34 - 173. For 80 MHz channels it should be channel + 6.
0- 20 or 40 MHz channel width (default)1- 80 MHz channel width2- 160 MHz channel width3- 80+80 MHz channel width
Enable LDPC (Low Density Parity Check) coding capability
VHT link adaptation capabilities
Increase Maximum MPDU length to 7991 or 11454 octets (default 3895 octets)
Set the maximum length of A-MPDU pre-EOF padding that the station can receive
Enable receiving PPDU using STBC (Space Time Block Coding)
Enable sending PPDU using STBC (Space Time Block Coding)
HE (High Efficiency) capabilities (802.11ax)
Tell the AP that antenna positions are fixed and will not change during the lifetime of an association.
Beamforming capabilities:
single-user-beamformer- Support for operation as single user beamformersingle-user-beamformee- Support for operation as single user beamformeemulti-user-beamformer- Support for operation as single user beamformer
BSS coloring helps to prevent channel jamming when multiple APs use the same channels.
Valid values are 1..63
HE operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)
HE operating channel center frequency - center freq 2 (for use with the 80+80 mode)
<number> must be within 1..233. For 80 MHz channels it should be channel + 6 and for 160 MHz channels, it should be channel + 14.
<number> must be one of:
81- 20 MHz channel width (2.4GHz)83- 40 MHz channel width, secondary 20MHz channel above primary channel (2.4GHz)84- 40 MHz channel width, secondary 20MHz channel below primary channel (2.4GHz)131- 20 MHz channel width (6GHz)132- 40 MHz channel width (6GHz)133- 80 MHz channel width (6GHz)134- 160 MHz channel width (6GHz)135- 80+80 MHz channel width (6GHz)
This setting configures Spacial Stream and Modulation Coding Scheme settings for HE mode (HE-MCS). It is usually not needed to set this explicitly, but it might help with some WiFi adapters.
<number> must be one of:
0- HE-MCS 0-71- HE-MCS 0-92- HE-MCS 0-113- HE-MCS is not supported
Wireless options (Station/Client)
The example creates a wireless station (commonly referred to as Wi-Fi client)
that accesses the network through the WAP defined in the above example. The
default physical device (phy0) is used.
set system wireless country-code de
set interfaces wireless wlan0 type station
set interfaces wireless wlan0 address dhcp
set interfaces wireless wlan0 ssid Test
set interfaces wireless wlan0 security wpa passphrase '12345678'
Resulting in
system {
wireless {
country-code de
}
}
interfaces {
wireless wlan0 {
address dhcp
security {
wpa {
passphrase "12345678"
}
}
ssid TEST
type station
}
Security
WPA, WPA2 Enterprise and WPA3 Enterprise in combination with 802.1x based authentication can be used to authenticate users or computers in a domain.
The wireless client (supplicant) authenticates against the RADIUS server (authentication server) using an EAP method configured on the RADIUS server. The WAP (also referred to as authenticator) role is to send all authentication messages between the supplicant and the configured authentication server, thus the RADIUS server is responsible for authenticating the users.
The WAP in this example has the following characteristics:
IP address
192.168.2.1/24Network ID (SSID)
Enterprise-TESTWPA passphrase
12345678Use 802.11n protocol
Wireless channel
1RADIUS server at
192.168.3.10with shared-secretVyOSPassword
set system wireless country-code de
set interfaces wireless wlan0 address '192.168.2.1/24'
set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 mode n
set interfaces wireless wlan0 ssid 'TEST'
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa radius server 192.168.3.10 key 'VyOSPassword'
set interfaces wireless wlan0 security wpa radius server 192.168.3.10 port 1812
Resulting in
system {
wireless {
country-code de
}
}
interfaces {
[...]
wireless wlan0 {
address 192.168.2.1/24
channel 1
mode n
security {
wpa {
cipher CCMP
mode wpa2
radius {
server 192.168.3.10 {
key 'VyOSPassword'
port 1812
}
}
}
}
ssid "Enterprise-TEST"
type access-point
}
}
VLAN
Regular VLANs (802.1q)
IEEE 802.1q, often referred to as Dot1q, is the industry standard for implementing VLANs on Ethernet networks. It defines VLAN tagging for Ethernet frames and outlines procedures for bridges and switches. The standard also includes quality-of-service prioritization (IEEE 802.1p) and defines the Generic Attribute Registration Protocol.
VLAN-aware network segments (i.e., IEEE 802.1q conformant) use VLAN tags. When a frame enters such a segment, a tag is added to indicate VLAN membership. Each frame can belong to only one VLAN. If a frame arrives without a tag, it is assumed to be part of the native VLAN.
IEEE 802.1, a working group of the IEEE 802 standards committee, has developed the standard and continues to revise it. One notable revision is 802.1Q-2014, which incorporated IEEE 802.1aq (Shortest Path Bridging) and much of the IEEE 802.1d standard.
In VyOS, 802.1q VLAN interfaces are represented as virtual subinterfaces,
referred to as vif.
Configure a VLAN interface with a unique VLAN ID.
VLAN ID identifies a specific VLAN and ranges from 0 to 4094.
You can configure multiple VLAN interfaces on a single physical interface.
Note
Only 802.1Q-tagged packets are accepted on Ethernet vifs.
Configure the interface with one or more IP addresses.
The following options are available:
address: Assign one or more IPv4 or IPv6 addresses to the interface. For example, use 192.0.2.1/24 for IPv4 or 2001:db8::1/64 for IPv6.
dhcp: The interface obtains an IPv4 address from a DHCP server on the same network segment.
dhcpv6: The interface obtains an IPv6 address from a DHCPv6 server on the same network segment.
Note
If the interface obtains an IPv4 address via DHCP, and specific adjustments are needed before/after the IP address is obtained, use the provided hook scripts:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces wireless wlan0 vif 10 address 192.0.2.1/24
set interfaces wireless wlan0 vif 10 address 2001:db8::1/64
set interfaces wireless wlan0 vif 10 address dhcp
set interfaces wireless wlan0 vif 10 address dhcpv6
Configure a clear, descriptive alias for the interface.
This alias appears in the show interfaces command and SNMP-based
monitoring tools.
Example:
set interfaces wireless wlan0 vif 10 description 'This is an interface running on VyOS.'
Disable the interface.
The interface will be set to the administratively down
(A/D) state.
Example:
set interfaces wireless wlan0 vif 10 disable
Disable physical link-state change detection on the interface, such as when a cable is unplugged.
By default, the interface detects physical link-state changes.
Example:
set interfaces wireless wlan0 vif 10 disable-link-detect
Configure a custom MAC address on the interface.
Example:
set interfaces wireless wlan0 vif 10 mac '00:53:01:02:03:04'
Configure the MTU on the interface.
This value defines the largest packet size, in bytes, that the interface transmits without fragmentation.
Example:
set interfaces wireless wlan0 vif 10 mtu 1600
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues that occur when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Sets the MSS to a specific value, in bytes. Use this option if you need to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router automatically calculates the MSS to be the interface’s MTU minus 40 bytes for IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure how long an ARP entry remains valid after learning an IP-to-MAC address mapping on this interface.
The default duration is 30 seconds.
An ARP entry remains valid if it receives positive feedback from higher-level protocols.
Example:
set interfaces wireless wlan0 vif 10 ip arp-cache-timeout 180
Configure ARP filtering on this interface.
Default behavior: The kernel responds to ARP requests on this interface only if the traffic would be routed back to the ARP sender through that specific interface.
If configured: The kernel responds to ARP requests on this interface for any IP address configured on the local host, regardless of which specific interface that IP address is assigned to, and regardless of the routing table. This reflects the Linux concept that IP addresses belong to the host, not individual interfaces.
Example:
set interfaces wireless wlan0 vif 10 ip disable-arp-filter
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv4 forwarding is disabled on it.
Example:
set interfaces wireless wlan0 vif 10 ip disable-forwarding
Configure whether to forward IP-directed broadcast packets received on this interface.
Default behavior: IP-directed broadcast packets are dropped.
If configured: IP-directed broadcast packets are forwarded to all hosts on the destination subnet, as defined in RFC 1812 and RFC 2644.
Example:
set interfaces wireless wlan0 vif 10 ip enable-directed-broadcast
Configure how to process gratuitous ARPs on this interface.
If configured, an IP-to-MAC address mapping is added to the ARP table based on gratuitous ARP requests or replies.
Note
If the ARP table already contains the IP address from a gratuitous ARP, its entry is updated regardless of whether this setting is configured.
Example:
set interfaces wireless wlan0 vif 10 ip enable-arp-accept
Configure the source IP selection for ARP requests on this interface.
Default behavior: The kernel can use any IP address the host owns as the source IP address in ARP requests on this interface.
If configured: The kernel first attempts to select a source IP address configured on the interface that shares a common subnet with the target IP address. If there is no such subnet, the kernel selects the IP address it would normally use (based on the routing table to reach the target destination).
Example:
set interfaces wireless wlan0 vif 10 ip enable-arp-announce
Configure which ARP requests will be ignored on this interface.
Default behavior: The kernel responds to ARP requests for any local IP addresses, regardless of which interface they are assigned to.
If configured: The kernel responds to ARP requests only if the target IP address is assigned to this specific interface.
Example:
set interfaces wireless wlan0 vif 10 ip enable-arp-ignore
Configure proxy ARP on this interface.
If configured, the router (kernel) intercepts ARP requests for non-local IP addresses and replies with the MAC address of the interface that received the request. Subsequent packets destined to these IP addresses are forwarded to their actual destinations on remote subnets.
Example:
set interfaces wireless wlan0 vif 10 ip enable-proxy-arp
Configure local proxy ARP on the interface.
If configured, the router (kernel) responds to ARP requests on this VLAN interface even if the target IP address resides on the same subnet and interface.
This is used to support network isolation requirements (RFC 3069) for private VLANs (PVLANs). In PVLAN configurations, hosts on isolated ports are NOT allowed to communicate directly with each other at Layer 2, but they can communicate with the upstream router.
By replying to inter-host ARP requests with its own MAC address, the router (kernel) directs inter-host traffic through itself instead of directly between hosts.
Note
This command works independently and does not require enabling the standard proxy ARP on the interface.
Local proxy ARP is also known as:
VLAN aggregation (RFC 3069).
Private VLAN (Cisco, Allied Telesyn).
Source-port filtering or port isolation (Hewlett-Packard).
MAC-Forced Forwarding (Ericsson).
Configure source IP address validation using RPF on this interface, as specified in RFC 3704.
The following options are available:
strict: Each incoming packet’s source IP address is checked against the Forwarding Information Base (FIB). If the interface is not the best route back to that source, validation fails, and the packet is dropped.
loose: Each incoming packet’s source IP address is checked against the FIB. If the source IP address is unreachable through any interface, validation fails.
disable: No source IP address validation is performed. All incoming packets are accepted.
RFC 3704 recommends enabling strict mode to prevent IP spoofing, such as DDoS attacks. For asymmetric or other complex routing scenarios, use loose mode.
Configure the interface to automatically obtain an IPv6 address using SLAAC, as specified in RFC 4862.
IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. The router responds with a router advertisement packet containing Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface.
Example:
set interfaces wireless wlan0 vif 10 ipv6 address autoconf
Configure the interface to assign itself an IPv6 address using the EUI-64 method, as specified in RFC 4291.
Example:
set interfaces wireless wlan0 vif 10 ipv6 address eui64 2001:db8:beef::/64
Disable the automatic assignment of a link-local IPv6 address to this interface.
Example:
set interfaces wireless wlan0 vif 10 ipv6 address no-default-link-local
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv6 forwarding is disabled on it.
Example:
set interfaces wireless wlan0 vif 10 ipv6 disable-forwarding
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Set the MSS to a specific value, in bytes. Use this option to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router calculates the MSS to be the interface’s MTU minus 60 bytes for IPv6 traffic (40 bytes for the IPv6 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure IPv6 DAD on the interface.
The following options are available:
0: Disables DAD. No duplicate address detection is performed.
1: Enables DAD (default). Duplicate addresses are detected. The interface’s IPv6 operation continues for valid IPv6 addresses.
2: Enables DAD and, if a MAC-based duplicate link-local address is found, disables IPv6 operation on this interface.
Example:
set interfaces wireless wlan0 vif 10 ipv6 accept-dad 2
Configure the number of DAD messages that the router (kernel) sends during IPv6 address assignment on this interface.
The default value is 1.
Example:
set interfaces wireless wlan0 vif 10 ipv6 dup-addr-detect-transmits 5
Assign the interface to a specific VRF instance.
See also
For information on configuring a VRF, refer to the VRF section.
Example:
set interfaces wireless wlan0 vif 10 vrf red
DHCP(v6)
Configure a DHCP client identifier for the interface, as specified in RFC 2131.
The client-id is an identifier that the DHCP client sends to the DHCP
server to uniquely identify itself for IP address assignment. By default,
the client uses its MAC address. The <description> is a user-defined
string that will be sent to the DHCP server as the DHCP client identifier.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options client-id 'foo-bar'
Configure a specific hostname for the interface.
Instead of the real hostname, the DHCP client will send the specific hostname to the DHCP server when requesting an IP address.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options host-name 'VyOS'
Configure the DHCP client to include a vendor-class identifier in its DHCP requests on this interface.
The vendor-class identifier is a vendor-specific byte string that enables the DHCP server to identify the device and, in some cases, provide configuration options.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options vendor-class-id 'VyOS'
Configure the DHCP client to obtain an IP address, but ignore any default gateway provided by the DHCP server on this interface.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options no-default-route
Configure the distance for the default route obtained from the DHCP server on this interface.
Example:
set interfaces wireless wlan0 vif 10 dhcp-options default-route-distance 220
Configure the DHCP client to reject the specific IP address or IP address range from the DHCP server on this interface.
This is useful when a modem assigns a local IP address upon start. To reject multiple addresses, run this command multiple times with different values. You can reject individual addresses (192.168.100.1) or entire subnets (192.168.100.0/24).
Example:
set interfaces wireless wlan0 vif 10 dhcp-options reject 192.168.100.0/24
Configure the DHCP client to send a specific user-class identifier in its DHCP requests on this interface.
The DHCP server can interpret this identifier and provide specific configuration options based on it (for example, default routes). The user-class value typically groups DHCP clients with similar configuration needs (for example, employees, guests, or printers).
Example:
set interfaces wireless wlan0 vif 10 dhcp-options user-class VyOS
Configure a specific DUID for the DHCPv6 client on this interface.
The DUID is an identifier used by a DHCPv6 client to get an IPv6 address from a DHCPv6 server. It consists of a 2-byte type field, followed by a variable-length identifier field up to 128 bytes. The format of the identifier part depends on the DUID type:
DUID-LLT: The most common type, which includes a hardware type, a timestamp, and a MAC address.
DUID-EN: Is based on a vendor’s enterprise number and a unique identifier assigned by the vendor.
DUID-LL: Includes only a MAC address.
The DHCP server matches the DUID against its database and provides configuration data (such as address, lease times, DNS servers, etc.) to the DHCP client.
Example:
set interfaces wireless wlan0 vif 10 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
Configure the DHCP client not to send a release message when it stops running on this interface.
This helps retain the assigned address or prefix.
Example:
set interfaces wireless wlan0 vif 10 dhcpv6-options no-release
Enable a stateless DHCPv6 client mode on this interface.
In stateless mode, the DHCPv6 client requests only stateless configuration parameters from the DHCP server (for example, DNS server addresses). It doesn’t request a stateful configuration, such as IPv6 addresses or prefixes.
Example:
set interfaces wireless wlan0 vif 10 dhcpv6-options parameters-only
Enable DHCPv6 rapid commit on this interface.
When enabled, the DHCP client and server skip the negotiation steps (Advertise and Request), completing the DHCPv6 configuration process in just two messages (Solicit and final Reply).
Example:
set interfaces wireless wlan0 vif 10 dhcpv6-options rapid-commit
Configure the DHCPv6 client to request a temporary IPv6 address on this interface.
When configured, the DHCP client doesn’t form an Identity Association for Non-temporary Addresses (IA_NA) partnership. Consequently, it only obtains a temporary IPv6 address and doesn’t obtain a permanent one.
Example:
set interfaces wireless wlan0 vif 10 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS supports DHCPv6 Prefix Delegation (DHCPv6-PD) as described in RFC 3633. DHCPv6-PD is supported by most ISPs that provide native IPv6 for consumers on fixed networks.
Configure a specific prefix length for DHCPv6-PD requests on this interface.
Some ISPs provide only a /64 prefix by default. Use this command to request a different prefix length for a specific DHCPv6-PD request, ranging from /32 (if allowed by your ISP) down to /64. <id> is a unique identifier for the DHCPv6-PD request.
The default value is 64.
To request a /56 prefix from your ISP, use:
set interfaces wireless wlan0 vif 10 dhcpv6-options pd 0 length 56
Configure the IPv6 interface identifier (host portion) for the delegatee interface.
The value must be a decimal integer. It is appended to the delegated prefix and the configured SLA ID to form the final IPv6 address.
By default, the host portion is generated based on the parent interface’s MAC address (EUI-64 format).
Example:
If a /64 prefix is delegated to interface eth8 and you configure the host portion as 65535, the resulting IPv6 address will end with ::ffff, as 65535 corresponds to ffff in hexadecimal notation.
set interfaces wireless wlan0 vif 10 dhcpv6-options pd 0 interface eth8 address 65534
Configure the SLA ID for the delegatee interface.
The value must be a decimal integer greater than 0 and fit in the length of SLA IDs. It is converted to hexadecimal and appended to the delegated prefix to form the specific subnet prefix for the delegatee interface.
Example:
If SLA ID is 1 and the delegated prefix is 2001:db8:ffff::/48, the
resulting subnet prefix for the delegatee interface will be
2001:db8:ffff:1::/64.
set interfaces wireless wlan0 vif 10 dhcpv6-options pd 0 interface eth8 sla-id 1
QinQ (802.1ad)
Overview
IEEE 802.1ad, commonly known as QinQ, is an Ethernet standard first published as an amendment to 802.1q in 2005, then officially merged into the base standard in 2011.
Unlike the original 802.1q, which allows a single VLAN header per Ethernet frame, QinQ allows two VLAN headers per Ethernet frame, for the inner and the outer VLAN tags. Most often the inner VLAN tag comes from a customer while the outer tag is used by the service provider to differentiate between traffic of different customers.
Frame structure and ethertypes
The IEEE 802.1ad (QinQ) frame includes two VLAN tags:
The outer service tag (S-TAG): The S-TAG is typically added by the provider.
It uses the Ethertype 0x88a8 by default.
The inner customer tag (C-TAG): The C-TAG is generated by the customer’s equipment and remains unchanged during transit. It uses the Ethertype 0x8100.
Implementation in VyOS
In VyOS, these tag types are associated with the following CLI options:
vif-s: Corresponds to the S-TAG (Ethertype 0x88a8).vif-c: Corresponds to the C-TAG (Ethertype 0x8100).
Configure the interface with one or more IP addresses.
The following options are available:
address: Assign one or more IPv4 or IPv6 addresses to the interface. For example, use 192.0.2.1/24 for IPv4 or 2001:db8::1/64 for IPv6.
dhcp: The interface obtains an IPv4 address from a DHCP server on the same network segment.
dhcpv6: The interface obtains an IPv6 address from a DHCPv6 server on the same network segment.
Note
If the interface obtains an IPv4 address via DHCP, and specific adjustments are needed before/after the IP address is obtained, use the provided hook scripts:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 address 192.0.2.1/24
set interfaces wireless wlan0 vif-s 1000 vif-c 20 address 2001:db8::1/64
set interfaces wireless wlan0 vif-s 1000 vif-c 20 address dhcp
set interfaces wireless wlan0 vif-s 1000 vif-c 20 address dhcpv6
Configure a clear, descriptive alias for the interface.
This alias appears in the show interfaces command and SNMP-based
monitoring tools.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 description 'This is an interface running on VyOS.'
Disable the interface.
The interface will be set to the administratively down
(A/D) state.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 disable
Disable physical link-state change detection on the interface, such as when a cable is unplugged.
By default, the interface detects physical link-state changes.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 disable-link-detect
Configure a custom MAC address on the interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 mac '00:53:01:02:03:04'
Configure the MTU on the interface.
This value defines the largest packet size, in bytes, that the interface transmits without fragmentation.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 mtu 1600
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues that occur when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Sets the MSS to a specific value, in bytes. Use this option if you need to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router automatically calculates the MSS to be the interface’s MTU minus 40 bytes for IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure how long an ARP entry remains valid after learning an IP-to-MAC address mapping on this interface.
The default duration is 30 seconds.
An ARP entry remains valid if it receives positive feedback from higher-level protocols.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip arp-cache-timeout 180
Configure ARP filtering on this interface.
Default behavior: The kernel responds to ARP requests on this interface only if the traffic would be routed back to the ARP sender through that specific interface.
If configured: The kernel responds to ARP requests on this interface for any IP address configured on the local host, regardless of which specific interface that IP address is assigned to, and regardless of the routing table. This reflects the Linux concept that IP addresses belong to the host, not individual interfaces.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip disable-arp-filter
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv4 forwarding is disabled on it.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip disable-forwarding
Configure whether to forward IP-directed broadcast packets received on this interface.
Default behavior: IP-directed broadcast packets are dropped.
If configured: IP-directed broadcast packets are forwarded to all hosts on the destination subnet, as defined in RFC 1812 and RFC 2644.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-directed-broadcast
Configure how to process gratuitous ARPs on this interface.
If configured, an IP-to-MAC address mapping is added to the ARP table based on gratuitous ARP requests or replies.
Note
If the ARP table already contains the IP address from a gratuitous ARP, its entry is updated regardless of whether this setting is configured.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-arp-accept
Configure the source IP selection for ARP requests on this interface.
Default behavior: The kernel can use any IP address the host owns as the source IP address in ARP requests on this interface.
If configured: The kernel first attempts to select a source IP address configured on the interface that shares a common subnet with the target IP address. If there is no such subnet, the kernel selects the IP address it would normally use (based on the routing table to reach the target destination).
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-arp-announce
Configure which ARP requests will be ignored on this interface.
Default behavior: The kernel responds to ARP requests for any local IP addresses, regardless of which interface they are assigned to.
If configured: The kernel responds to ARP requests only if the target IP address is assigned to this specific interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-arp-ignore
Configure proxy ARP on this interface.
If configured, the router (kernel) intercepts ARP requests for non-local IP addresses and replies with the MAC address of the interface that received the request. Subsequent packets destined to these IP addresses are forwarded to their actual destinations on remote subnets.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ip enable-proxy-arp
Configure local proxy ARP on the interface.
If configured, the router (kernel) responds to ARP requests on this VLAN interface even if the target IP address resides on the same subnet and interface.
This is used to support network isolation requirements (RFC 3069) for private VLANs (PVLANs). In PVLAN configurations, hosts on isolated ports are NOT allowed to communicate directly with each other at Layer 2, but they can communicate with the upstream router.
By replying to inter-host ARP requests with its own MAC address, the router (kernel) directs inter-host traffic through itself instead of directly between hosts.
Note
This command works independently and does not require enabling the standard proxy ARP on the interface.
Local proxy ARP is also known as:
VLAN aggregation (RFC 3069).
Private VLAN (Cisco, Allied Telesyn).
Source-port filtering or port isolation (Hewlett-Packard).
MAC-Forced Forwarding (Ericsson).
Configure source IP address validation using RPF on this interface, as specified in RFC 3704.
The following options are available:
strict: Each incoming packet’s source IP address is checked against the Forwarding Information Base (FIB). If the interface is not the best route back to that source, validation fails, and the packet is dropped.
loose: Each incoming packet’s source IP address is checked against the FIB. If the source IP address is unreachable through any interface, validation fails.
disable: No source IP address validation is performed. All incoming packets are accepted.
RFC 3704 recommends enabling strict mode to prevent IP spoofing, such as DDoS attacks. For asymmetric or other complex routing scenarios, use loose mode.
Configure the interface to automatically obtain an IPv6 address using SLAAC, as specified in RFC 4862.
IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. The router responds with a router advertisement packet containing Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 address autoconf
Configure the interface to assign itself an IPv6 address using the EUI-64 method, as specified in RFC 4291.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 address eui64 2001:db8:beef::/64
Disable the automatic assignment of a link-local IPv6 address to this interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 address no-default-link-local
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv6 forwarding is disabled on it.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 disable-forwarding
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Set the MSS to a specific value, in bytes. Use this option to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router calculates the MSS to be the interface’s MTU minus 60 bytes for IPv6 traffic (40 bytes for the IPv6 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure IPv6 DAD on the interface.
The following options are available:
0: Disables DAD. No duplicate address detection is performed.
1: Enables DAD (default). Duplicate addresses are detected. The interface’s IPv6 operation continues for valid IPv6 addresses.
2: Enables DAD and, if a MAC-based duplicate link-local address is found, disables IPv6 operation on this interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 accept-dad 2
Configure the number of DAD messages that the router (kernel) sends during IPv6 address assignment on this interface.
The default value is 1.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 ipv6 dup-addr-detect-transmits 5
Assign the interface to a specific VRF instance.
See also
For information on configuring a VRF, refer to the VRF section.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 vrf red
DHCP(v6)
Configure a DHCP client identifier for the interface, as specified in RFC 2131.
The client-id is an identifier that the DHCP client sends to the DHCP
server to uniquely identify itself for IP address assignment. By default,
the client uses its MAC address. The <description> is a user-defined
string that will be sent to the DHCP server as the DHCP client identifier.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options client-id 'foo-bar'
Configure a specific hostname for the interface.
Instead of the real hostname, the DHCP client will send the specific hostname to the DHCP server when requesting an IP address.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options host-name 'VyOS'
Configure the DHCP client to include a vendor-class identifier in its DHCP requests on this interface.
The vendor-class identifier is a vendor-specific byte string that enables the DHCP server to identify the device and, in some cases, provide configuration options.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options vendor-class-id 'VyOS'
Configure the DHCP client to obtain an IP address, but ignore any default gateway provided by the DHCP server on this interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options no-default-route
Configure the distance for the default route obtained from the DHCP server on this interface.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options default-route-distance 220
Configure the DHCP client to reject the specific IP address or IP address range from the DHCP server on this interface.
This is useful when a modem assigns a local IP address upon start. To reject multiple addresses, run this command multiple times with different values. You can reject individual addresses (192.168.100.1) or entire subnets (192.168.100.0/24).
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options reject 192.168.100.0/24
Configure the DHCP client to send a specific user-class identifier in its DHCP requests on this interface.
The DHCP server can interpret this identifier and provide specific configuration options based on it (for example, default routes). The user-class value typically groups DHCP clients with similar configuration needs (for example, employees, guests, or printers).
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcp-options user-class VyOS
Configure a specific DUID for the DHCPv6 client on this interface.
The DUID is an identifier used by a DHCPv6 client to get an IPv6 address from a DHCPv6 server. It consists of a 2-byte type field, followed by a variable-length identifier field up to 128 bytes. The format of the identifier part depends on the DUID type:
DUID-LLT: The most common type, which includes a hardware type, a timestamp, and a MAC address.
DUID-EN: Is based on a vendor’s enterprise number and a unique identifier assigned by the vendor.
DUID-LL: Includes only a MAC address.
The DHCP server matches the DUID against its database and provides configuration data (such as address, lease times, DNS servers, etc.) to the DHCP client.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
Configure the DHCP client not to send a release message when it stops running on this interface.
This helps retain the assigned address or prefix.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options no-release
Enable a stateless DHCPv6 client mode on this interface.
In stateless mode, the DHCPv6 client requests only stateless configuration parameters from the DHCP server (for example, DNS server addresses). It doesn’t request a stateful configuration, such as IPv6 addresses or prefixes.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options parameters-only
Enable DHCPv6 rapid commit on this interface.
When enabled, the DHCP client and server skip the negotiation steps (Advertise and Request), completing the DHCPv6 configuration process in just two messages (Solicit and final Reply).
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options rapid-commit
Configure the DHCPv6 client to request a temporary IPv6 address on this interface.
When configured, the DHCP client doesn’t form an Identity Association for Non-temporary Addresses (IA_NA) partnership. Consequently, it only obtains a temporary IPv6 address and doesn’t obtain a permanent one.
Example:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS supports DHCPv6 Prefix Delegation (DHCPv6-PD) as described in RFC 3633. DHCPv6-PD is supported by most ISPs that provide native IPv6 for consumers on fixed networks.
Configure a specific prefix length for DHCPv6-PD requests on this interface.
Some ISPs provide only a /64 prefix by default. Use this command to request a different prefix length for a specific DHCPv6-PD request, ranging from /32 (if allowed by your ISP) down to /64. <id> is a unique identifier for the DHCPv6-PD request.
The default value is 64.
To request a /56 prefix from your ISP, use:
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 length 56
Configure the IPv6 interface identifier (host portion) for the delegatee interface.
The value must be a decimal integer. It is appended to the delegated prefix and the configured SLA ID to form the final IPv6 address.
By default, the host portion is generated based on the parent interface’s MAC address (EUI-64 format).
Example:
If a /64 prefix is delegated to interface eth8 and you configure the host portion as 65535, the resulting IPv6 address will end with ::ffff, as 65535 corresponds to ffff in hexadecimal notation.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface eth8 address 65534
Configure the SLA ID for the delegatee interface.
The value must be a decimal integer greater than 0 and fit in the length of SLA IDs. It is converted to hexadecimal and appended to the delegated prefix to form the specific subnet prefix for the delegatee interface.
Example:
If SLA ID is 1 and the delegated prefix is 2001:db8:ffff::/48, the
resulting subnet prefix for the delegatee interface will be
2001:db8:ffff:1::/64.
set interfaces wireless wlan0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface eth8 sla-id 1
Operation
Use this command to view operational status and wireless-specific information about all wireless interfaces.
vyos@vyos:~$ show interfaces wireless info
Interface Type SSID Channel
wlan0 access-point VyOS-TEST-0 1
Use this command to view operational status and details wireless-specific information about all wireless interfaces.
vyos@vyos:~$ show interfaces wireless detail
wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff
inet xxx.xxx.99.254/24 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:fe54:2fc3/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
66072 282 0 0 0 0
TX: bytes packets errors dropped carrier collisions
83413 430 0 0 0 0
wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff
inet xxx.xxx.100.254/24 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:ffff:2ed3/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
166072 5282 0 0 0 0
TX: bytes packets errors dropped carrier collisions
183413 5430 0 0 0 0
This command shows both status and statistics on the specified wireless interface. The wireless interface identifier can range from wlan0 to wlan999.
vyos@vyos:~$ show interfaces wireless wlan0
wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:c3 brd XX:XX:XX:XX:XX:ff
inet xxx.xxx.99.254/24 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:fe54:2fc3/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
66072 282 0 0 0 0
TX: bytes packets errors dropped carrier collisions
83413 430 0 0 0 0
This command gives a brief status overview of a specified wireless interface. The wireless interface identifier can range from wlan0 to wlan999.
vyos@vyos:~$ show interfaces wireless wlan0 brief
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
wlan0 192.168.2.254/24 u/u
Use this command to view wireless interface queue information. The wireless interface identifier can range from wlan0 to wlan999.
vyos@vyos:~$ show interfaces wireless wlan0 queue
qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 810323 bytes 6016 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
This command is used to retrieve information about WAP within the range of your wireless interface. This command is useful on wireless interfaces configured in station mode.
Note
Scanning is not supported on all wireless drivers and wireless hardware. Refer to your driver and wireless hardware documentation for further details.
vyos@vyos:~$ show interfaces wireless wlan0 scan
Address SSID Channel Signal (dbm)
00:53:3b:88:6e:d8 WLAN-576405 1 -64.00
00:53:3b:88:6e:da Telekom_FON 1 -64.00
00:53:00:f2:c2:a4 BabyView_F2C2A4 6 -60.00
00:53:3b:88:6e:d6 Telekom_FON 100 -72.00
00:53:3b:88:6e:d4 WLAN-576405 100 -71.00
00:53:44:a4:96:ec KabelBox-4DC8 56 -81.00
00:53:d9:7a:67:c2 WLAN-741980 1 -75.00
00:53:7c:99:ce:76 Vodafone Homespot 1 -86.00
00:53:44:a4:97:21 KabelBox-4DC8 1 -78.00
00:53:44:a4:97:21 Vodafone Hotspot 1 -79.00
00:53:44:a4:97:21 Vodafone Homespot 1 -79.00
00:53:86:40:30:da Telekom_FON 1 -86.00
00:53:7c:99:ce:76 Vodafone Hotspot 1 -86.00
00:53:44:46:d2:0b Vodafone Hotspot 1 -87.00
Examples
The following example creates a WAP. When configuring multiple WAP interfaces, you must specify unique IP addresses, channels, Network IDs commonly referred to as SSID, and MAC addresses.
The WAP in this example has the following characteristics:
IP address
192.168.2.1/24Network ID (SSID)
TESTWPA passphrase
12345678Use 802.11n protocol
Wireless channel
1
set system wireless country-code de
set interfaces wireless wlan0 address '192.168.2.1/24'
set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 mode n
set interfaces wireless wlan0 ssid 'TEST'
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa passphrase '12345678'
Resulting in
system {
wireless {
country-code de
}
}
interfaces {
[...]
wireless wlan0 {
address 192.168.2.1/24
channel 1
mode n
security {
wpa {
cipher CCMP
mode wpa2
passphrase "12345678"
}
}
ssid "TEST"
type access-point
}
}
To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (Bridge) on the system.
WiFi-6(e) - 802.11ax
The following examples will show valid configurations for WiFi-6 (2.4GHz) and WiFi-6e (6GHz) Access-Points with the following characteristics:
Network ID (SSID)
test.axWPA passphrase
super-dooper-secure-passphraseUse 802.11ax protocol
Wireless channel
11for 2.4GHzWireless channel
5for 6GHz
Example Configuration: WiFi-6 at 2.4GHz
You may expect real throughputs around 10MBytes/s or higher in crowded areas.
set system wireless country-code de
set interfaces wireless wlan0 capabilities he antenna-pattern-fixed
set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer
set interfaces wireless wlan0 capabilities he beamform single-user-beamformee
set interfaces wireless wlan0 capabilities he beamform single-user-beamformer
set interfaces wireless wlan0 capabilities he bss-color 13
set interfaces wireless wlan0 capabilities he channel-set-width 81
set interfaces wireless wlan0 capabilities ht 40mhz-incapable
set interfaces wireless wlan0 capabilities ht channel-set-width ht20
set interfaces wireless wlan0 capabilities ht channel-set-width ht40+
set interfaces wireless wlan0 capabilities ht channel-set-width ht40-
set interfaces wireless wlan0 capabilities ht short-gi 20
set interfaces wireless wlan0 capabilities ht short-gi 40
set interfaces wireless wlan0 capabilities ht stbc rx 2
set interfaces wireless wlan0 capabilities ht stbc tx
set interfaces wireless wlan0 channel 11
set interfaces wireless wlan0 description "802.11ax 2.4GHz"
set interfaces wireless wlan0 mode ax
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa cipher CCMP-256
set interfaces wireless wlan0 security wpa cipher GCMP-256
set interfaces wireless wlan0 security wpa cipher GCMP
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase
set interfaces wireless wlan0 ssid test.ax
set interfaces wireless wlan0 type access-point
commit
Resulting in
system {
wireless {
country-code de
}
}
interfaces {
[...]
wireless wlan0 {
capabilities {
he {
antenna-pattern-fixed
beamform {
multi-user-beamformer
single-user-beamformee
single-user-beamformer
}
bss-color 13
channel-set-width 81
}
ht {
40mhz-incapable
channel-set-width ht20
channel-set-width ht40+
channel-set-width ht40-
short-gi 20
short-gi 40
stbc {
rx 2
tx
}
}
}
channel 11
description "802.11ax 2.4GHz"
hw-id [...]
mode ax
physical-device phy0
security {
wpa {
cipher CCMP
cipher CCMP-256
cipher GCMP-256
cipher GCMP
mode wpa2
passphrase super-dooper-secure-passphrase
}
}
ssid test.ax
type access-point
}
}
Example Configuration: WiFi-6e at 6GHz
You may expect real throughputs around 50MBytes/s to 150MBytes/s, depending on obstructions by walls, water, metal or other materials with high electro-magnetic dampening at 6GHz. Best results are achieved with the AP being in the same room and in line-of-sight.
set system wireless country-code de
set interfaces wireless wlan0 capabilities he antenna-pattern-fixed
set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer
set interfaces wireless wlan0 capabilities he beamform single-user-beamformee
set interfaces wireless wlan0 capabilities he beamform single-user-beamformer
set interfaces wireless wlan0 capabilities he bss-color 13
set interfaces wireless wlan0 capabilities he channel-set-width 134
set interfaces wireless wlan0 capabilities he capabilities he center-channel-freq freq-1 15
set interfaces wireless wlan0 channel 5
set interfaces wireless wlan0 description "802.11ax 6GHz"
set interfaces wireless wlan0 mode ax
set interfaces wireless wlan0 security wpa cipher CCMP
set interfaces wireless wlan0 security wpa cipher CCMP-256
set interfaces wireless wlan0 security wpa cipher GCMP-256
set interfaces wireless wlan0 security wpa cipher GCMP
set interfaces wireless wlan0 security wpa mode wpa3
set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase
set interfaces wireless wlan0 mgmt-frame-protection required
set interfaces wireless wlan0 enable-bf-protection
set interfaces wireless wlan0 ssid test.ax
set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 stationary-ap
commit
Resulting in
system {
wireless {
country-code de
}
}
interfaces {
[...]
wireless wlan0 {
capabilities {
he {
antenna-pattern-fixed
beamform {
multi-user-beamformer
single-user-beamformee
single-user-beamformer
}
bss-color 13
center-channel-freq {
freq-1 15
}
channel-set-width 134
}
}
channel 5
description "802.11ax 6GHz"
enable-bf-protection
hw-id [...]
mgmt-frame-protection required
mode ax
physical-device phy0
security {
wpa {
cipher CCMP
cipher CCMP-256
cipher GCMP-256
cipher GCMP
mode wpa3
passphrase super-dooper-secure-passphrase
}
}
ssid test.ax
stationary-ap
type access-point
}
}
Intel AX200
The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:
set system wireless country-code 'us'
set interfaces wireless wlan0 channel '1'
set interfaces wireless wlan0 mode 'n'
set interfaces wireless wlan0 physical-device 'phy0'
set interfaces wireless wlan0 ssid 'VyOS'
set interfaces wireless wlan0 type 'access-point'