sax-rgs-gw-core01: add laundering client network
v4 works, v6 is still a work in progress launder: * v4 through mullvad * v6 through mowoe
This commit is contained in:
parent
c7989547aa
commit
473d7aa05a
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -30,6 +30,22 @@ config dhcp 'mgmt'
|
|||
list ra_flags 'managed-config'
|
||||
list ra_flags 'other-config'
|
||||
|
||||
config dhcp 'clients'
|
||||
option interface 'clients'
|
||||
# from: 10.86.4.2
|
||||
# to: 10.86.7.254
|
||||
# start: 2
|
||||
# limit: 1020
|
||||
option start '2'
|
||||
option limit '1020'
|
||||
option leasetime '12h'
|
||||
option dhcpv4 'server'
|
||||
option dhcpv6 'server'
|
||||
option ra 'server'
|
||||
option ra_slaac '1'
|
||||
list ra_flags 'managed-config'
|
||||
list ra_flags 'other-config'
|
||||
|
||||
config dhcp 'backoffice'
|
||||
option interface 'backoffice'
|
||||
option start '100'
|
||||
|
|
|
@ -13,6 +13,13 @@ config zone
|
|||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name clients
|
||||
list network clients
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name backoffice
|
||||
list network 'backoffice'
|
||||
|
@ -20,6 +27,20 @@ config zone
|
|||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name launder
|
||||
list network wg4
|
||||
list network wg5
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
option masq 1
|
||||
option mtu_fix 1
|
||||
|
||||
config forwarding
|
||||
option src clients
|
||||
option dest launder
|
||||
|
||||
config zone
|
||||
option name backbone
|
||||
list network wg3
|
||||
|
@ -27,6 +48,21 @@ config zone
|
|||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config rule
|
||||
option name CLIENTS_Allow-DHCP
|
||||
option src clients
|
||||
option proto udp
|
||||
option dest_port 67-68
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
config rule
|
||||
option name CLIENTS_Allow-DNS
|
||||
option src clients
|
||||
option proto udp
|
||||
option dest_port 53
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name From-BACKBONE-Allow-OSPF
|
||||
option src backbone
|
||||
|
|
|
@ -71,6 +71,12 @@ config interface 'wan6'
|
|||
option device 'switch.3'
|
||||
option proto 'dhcpv6'
|
||||
|
||||
config interface 'clients'
|
||||
option device 'switch.2'
|
||||
option proto 'static'
|
||||
option ipaddr '10.86.4.1'
|
||||
option netmask '255.255.252.0'
|
||||
|
||||
config interface 'backoffice'
|
||||
option device 'switch.8'
|
||||
option proto 'static'
|
||||
|
@ -93,3 +99,43 @@ config wireguard_wg3 'eap_adp_jump01'
|
|||
option route_allowed_ips '0'
|
||||
option persistent_keepalive 15
|
||||
list allowed_ips '0.0.0.0/0'
|
||||
|
||||
config interface 'wg4'
|
||||
option proto 'wireguard'
|
||||
option private_key "{{ lookup('passwordstore', 'wg/wg4/sax-rgs-gw-core01') }}"
|
||||
list addresses 'fe80:2131:27:189::2/64'
|
||||
option disabled '0'
|
||||
|
||||
# routes 2a0e:8f02:f000:2e61::1/64 to the link-local of wg4
|
||||
config wireguard_wg4 'core_mowoe_com'
|
||||
option public_key "{{ lookup('passwordstore', 'wg/wg4/core.mowoe.com.pub') }}"
|
||||
option endpoint_host 'core.mowoe.com'
|
||||
option endpoint_port '51821'
|
||||
option route_allowed_ips '0'
|
||||
option persistent_keepalive 15
|
||||
list allowed_ips '::/0'
|
||||
|
||||
config interface 'wg5'
|
||||
option ip4table 'launder'
|
||||
option proto 'wireguard'
|
||||
option private_key "{{ lookup('passwordstore', 'wg/wg5/sax-rgs-gw-core01') }}"
|
||||
list addresses '10.67.171.28'
|
||||
option disabled '0'
|
||||
|
||||
config wireguard_wg5 'mullvad'
|
||||
option public_key "{{ lookup('passwordstore', 'wg/wg5/mullvad.pub') }}"
|
||||
option endpoint_host '146.70.117.162'
|
||||
option endpoint_port '51820'
|
||||
option route_allowed_ips '1'
|
||||
option persistent_keepalive 15
|
||||
list allowed_ips '0.0.0.0/0'
|
||||
|
||||
config rule
|
||||
option in 'clients'
|
||||
option lookup 'launder'
|
||||
option priority 50
|
||||
|
||||
config rule
|
||||
option in 'clients'
|
||||
option action prohibit
|
||||
option priority 51
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
#
|
||||
# reserved values
|
||||
#
|
||||
128 prelocal
|
||||
255 local
|
||||
254 main
|
||||
253 default
|
||||
0 unspec
|
||||
20 launder
|
||||
#
|
||||
# local
|
||||
#
|
||||
#1 inr.ruhep
|
Loading…
Reference in New Issue