Merge branch 'vyos:master' into master

docs/_locale/de/configuration.pot

@@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p
 msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``."
 
 #: ../../configuration/loadbalancing/reverse-proxy.rst:108
-msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
-msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
+msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
+msgstr "``least-connection`` Distributes requests to the server with the fewest active connections"
 
 #: ../../configuration/vpn/ipsec.rst:125
 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"

docs/_locale/es/configuration.pot

@@ -19468,7 +19468,7 @@ msgid "``latency``: A server profile focused on lowering network latency. This p
 msgstr "``latency``: un perfil de servidor centrado en reducir la latencia de la red. Este perfil favorece el rendimiento sobre el ahorro de energía configurando ``intel_pstate`` y ``min_perf_pct=100``."
 
 #: ../../configuration/loadbalancing/reverse-proxy.rst:108
-msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
+msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
 msgstr "``least-connection`` Distribuye las solicitudes al servidor con la menor cantidad de conexiones activas"
 
 #: ../../configuration/vpn/ipsec.rst:125

docs/_locale/ja/configuration.pot

@@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p
 msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``."
 
 #: ../../configuration/loadbalancing/reverse-proxy.rst:108
-msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
-msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
+msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
+msgstr "``least-connection`` Distributes requests to the server with the fewest active connections"
 
 #: ../../configuration/vpn/ipsec.rst:125
 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"

docs/_locale/pt/configuration.pot

@@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p
 msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``."
 
 #: ../../configuration/loadbalancing/reverse-proxy.rst:108
-msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
-msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
+msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
+msgstr "``least-connection`` Distributes requests to the server with the fewest active connections"
 
 #: ../../configuration/vpn/ipsec.rst:125
 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"

docs/_locale/uk/configuration.pot

@@ -19468,8 +19468,8 @@ msgid "``latency``: A server profile focused on lowering network latency. This p
 msgstr "``latency``: A server profile focused on lowering network latency. This profile favors performance over power savings by setting ``intel_pstate`` and ``min_perf_pct=100``."
 
 #: ../../configuration/loadbalancing/reverse-proxy.rst:108
-msgid "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
-msgstr "``least-connection`` Distributes requests tp tje server wotj the fewest active connections"
+msgid "``least-connection`` Distributes requests to the server with the fewest active connections"
+msgstr "``least-connection`` Distributes requests to the server with the fewest active connections"
 
 #: ../../configuration/vpn/ipsec.rst:125
 msgid "``life-bytes`` ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires;"

docs/configexamples/autotest/DHCPRelay_through_GRE/_include/dhcp-server.conf

@@ -8,6 +8,7 @@ set protocols static route 10.0.10.0/24 next-hop 10.0.20.254
 set protocols static route 192.168.0.0/24 next-hop 127.16.0.2
 set service dhcp-server listen-address '172.16.0.1'
 set service dhcp-server shared-network-name DHCPTun100 authoritative
-set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 default-router '192.168.0.254'
+set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 option default-router '192.168.0.254'
 set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 start '192.168.0.30'
-set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30'
+set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 range 0 stop '192.168.0.30'
+set service dhcp-server shared-network-name DHCPTun100 subnet 192.168.0.0/24 subnet-id '1'

docs/configuration/loadbalancing/reverse-proxy.rst

@@ -105,7 +105,7 @@ Backend
      of the client
    * ``round-robin`` Distributes requests in a circular manner,
      sequentially sending each request to the next server in line
-   * ``least-connection`` Distributes requests tp tje server wotj the fewest 
+   * ``least-connection`` Distributes requests to the server with the fewest
      active connections
 
 .. cfgcmd:: set load-balancing reverse-proxy backend <name> mode

docs/configuration/nat/nat66.rst

@@ -137,3 +137,100 @@ R2:
   set interfaces bridge br1 member interface eth1
   set protocols static route6 ::/0 next-hop fc01::1
   set service router-advert interface br1 prefix ::/0
+
+
+Use the following topology to translate internal user local addresses (``fc::/7``)
+to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair.
+
+.. figure:: /_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png
+   :alt: VyOS NAT66 DHCPv6 using a dummy interface
+
+Configure both routers (a and b) for DHCPv6-PD via dummy interface:
+
+.. code-block:: none
+
+  set interfaces dummy dum1 description 'DHCPv6-PD NPT dummy'
+  set interfaces bonding bond0 vif 20 dhcpv6-options pd 0 interface dum1 address '0'
+  set interfaces bonding bond0 vif 20 dhcpv6-options pd 1 interface dum1 address '0'
+  set interfaces bonding bond0 vif 20 dhcpv6-options pd 2 interface dum1 address '0'
+  set interfaces bonding bond0 vif 20 dhcpv6-options pd 3 interface dum1 address '0'
+  set interfaces bonding bond0 vif 20 dhcpv6-options rapid-commit
+  commit
+
+Get the DHCPv6-PD prefixes from both routers:
+
+.. code-block:: none
+
+  trae@cr01a-vyos# run show interfaces dummy dum1 br
+  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+  Interface        IP Address                        S/L  Description
+  ---------        ----------                        ---  -----------
+  dum1             2001:db8:123:b008::/64           u/u  DHCPv6-PD NPT dummy
+                   2001:db8:123:b00a::/64
+                   2001:db8:123:b00b::/64
+                   2001:db8:123:b009::/64
+
+  trae@cr01b-vyos# run show int dummy dum1 brief
+  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+  Interface        IP Address                        S/L  Description
+  ---------        ----------                        ---  -----------
+  dum1             2001:db8:123:b00d::/64           u/u  DHCPv6-PD NPT dummy
+                   2001:db8:123:b00c::/64
+                   2001:db8:123:b00e::/64
+                   2001:db8:123:b00f::/64
+
+Configure the A-side router for NPTv6 using the prefixes above:
+
+.. code-block:: none
+
+  set nat66 source rule 10 description 'NPT to VLAN 10'
+  set nat66 source rule 10 outbound-interface name 'bond0.20'
+  set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64'
+  set nat66 source rule 10 translation address '2001:db8:123:b008::/64'
+  set nat66 source rule 20 description 'NPT to VLAN 70'
+  set nat66 source rule 20 outbound-interface name 'bond0.20'
+  set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64'
+  set nat66 source rule 20 translation address '2001:db8:123:b009::/64'
+  set nat66 source rule 30 description 'NPT to VLAN 200'
+  set nat66 source rule 30 outbound-interface name 'bond0.20'
+  set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64'
+  set nat66 source rule 30 translation address '2001:db8:123:b00a::/64'
+  set nat66 source rule 40 description 'NPT to VLAN 240'
+  set nat66 source rule 40 outbound-interface name 'bond0.20'
+  set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64'
+  set nat66 source rule 40 translation address '2001:db8:123:b00b::/64'
+  commit
+
+Configure the B-side router for NPTv6 using the prefixes above:
+
+.. code-block:: none
+
+  set nat66 source rule 10 description 'NPT to VLAN 10'
+  set nat66 source rule 10 outbound-interface name 'bond0.20'
+  set nat66 source rule 10 source prefix 'fd52:d62e:8011:a::/64'
+  set nat66 source rule 10 translation address '2001:db8:123:b00c::/64'
+  set nat66 source rule 20 description 'NPT to VLAN 70'
+  set nat66 source rule 20 outbound-interface name 'bond0.20'
+  set nat66 source rule 20 source prefix 'fd52:d62e:8011:46::/64'
+  set nat66 source rule 20 translation address '2001:db8:123:b00d::/64'
+  set nat66 source rule 30 description 'NPT to VLAN 200'
+  set nat66 source rule 30 outbound-interface name 'bond0.20'
+  set nat66 source rule 30 source prefix 'fd52:d62e:8011:c8::/64'
+  set nat66 source rule 30 translation address '2001:db8:123:b00e::/64'
+  set nat66 source rule 40 description 'NPT to VLAN 240'
+  set nat66 source rule 40 outbound-interface name 'bond0.20'
+  set nat66 source rule 40 source prefix 'fd52:d62e:8011:f0::/64'
+  set nat66 source rule 40 translation address '2001:db8:123:b00f::/64'
+  commit
+
+Verify that connections are hitting the rule on both sides:
+
+.. code-block:: none
+
+  trae@cr01a-vyos# run show nat66 source statistics
+  Rule    Packets    Bytes    Interface
+  ------  ---------  -------  -----------
+  10      1          104      bond0.20
+  20      1          104      bond0.20
+  30      8093       669445   bond0.20
+  40      2446       216912   bond0.20

docs/configuration/pki/index.rst

@@ -1,4 +1,4 @@
-:lastproofread: 2021-09-01
+:lastproofread: 2024-01-05
 
 .. include:: /_include/need_improvement.txt
 
@@ -248,6 +248,44 @@ certificates used by services on this router.
 
   If CA is present, this certificate will be included in generated CRLs
 
+ACME
+^^^^
+
+The VyOS PKI subsystem can also be used to automatically retrieve Certificates
+using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol.
+
+.. cfgcmd:: set pki certificate <name> acme domain-name <name>
+
+  Domain names to apply, multiple domain-names can be specified.
+
+  This is a mandatory option
+
+.. cfgcmd:: set pki certificate <name> acme email <address>
+
+  Email used for registration and recovery contact.
+
+  This is a mandatory option
+
+.. cfgcmd:: set pki certificate <name> acme listen-address <address>
+
+  The address the server listens to during http-01 challenge
+
+.. cfgcmd:: set pki certificate <name> acme rsa-key-size <2048 | 3072 | 4096>
+
+  Size of the RSA key.
+
+  This options defaults to 2048
+
+.. cfgcmd:: set pki certificate <name> acme url <url>
+
+  ACME Directory Resource URI.
+
+  This defaults to https://acme-v02.api.letsencrypt.org/directory
+
+  .. note:: During initial deployment we recommend using the staging API
+    of LetsEncrypt to prevent and blacklisting of your system. The API
+    endpoint is https://acme-staging-v02.api.letsencrypt.org/directory
+
 Operation
 =========
 
@@ -292,3 +330,7 @@ also to display them.
 .. opcmd:: show pki crl
 
   Show a list of installed :abbr:`CRLs (Certificate Revocation List)`.
+
+.. opcmd:: renew certbot
+
+  Manually trigger certificate renewal. This will be done twice a day.