diff --git a/password-store/wg/wg4/core.mowoe.com.pub.gpg b/password-store/wg/wg4/core.mowoe.com.pub.gpg new file mode 100644 index 0000000..19ec1e0 Binary files /dev/null and b/password-store/wg/wg4/core.mowoe.com.pub.gpg differ diff --git a/password-store/wg/wg4/sax-rgs-gw-core01.gpg b/password-store/wg/wg4/sax-rgs-gw-core01.gpg new file mode 100644 index 0000000..2f7b819 Binary files /dev/null and b/password-store/wg/wg4/sax-rgs-gw-core01.gpg differ diff --git a/password-store/wg/wg5/mullvad.pub.gpg b/password-store/wg/wg5/mullvad.pub.gpg new file mode 100644 index 0000000..d2d9d58 Binary files /dev/null and b/password-store/wg/wg5/mullvad.pub.gpg differ diff --git a/password-store/wg/wg5/sax-rgs-gw-core01.gpg b/password-store/wg/wg5/sax-rgs-gw-core01.gpg new file mode 100644 index 0000000..727efe8 Binary files /dev/null and b/password-store/wg/wg5/sax-rgs-gw-core01.gpg differ diff --git a/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp b/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp index 7cb176a..922ba79 100644 --- a/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp +++ b/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp @@ -30,6 +30,22 @@ config dhcp 'mgmt' list ra_flags 'managed-config' list ra_flags 'other-config' +config dhcp 'clients' + option interface 'clients' + # from: 10.86.4.2 + # to: 10.86.7.254 + # start: 2 + # limit: 1020 + option start '2' + option limit '1020' + option leasetime '12h' + option dhcpv4 'server' + option dhcpv6 'server' + option ra 'server' + option ra_slaac '1' + list ra_flags 'managed-config' + list ra_flags 'other-config' + config dhcp 'backoffice' option interface 'backoffice' option start '100' diff --git a/templates/gateways/sax-rgs-gw-core01/etc/config/firewall b/templates/gateways/sax-rgs-gw-core01/etc/config/firewall index 2d82ed3..dc51b8d 100644 --- a/templates/gateways/sax-rgs-gw-core01/etc/config/firewall +++ b/templates/gateways/sax-rgs-gw-core01/etc/config/firewall @@ -13,6 +13,13 @@ config zone option output ACCEPT option forward REJECT +config zone + option name clients + list network clients + option input REJECT + option output ACCEPT + option forward REJECT + config zone option name backoffice list network 'backoffice' @@ -20,6 +27,20 @@ config zone option output ACCEPT option forward REJECT +config zone + option name launder + list network wg4 + list network wg5 + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src clients + option dest launder + config zone option name backbone list network wg3 @@ -27,6 +48,21 @@ config zone option output ACCEPT option forward REJECT + config rule + option name CLIENTS_Allow-DHCP + option src clients + option proto udp + option dest_port 67-68 + option target ACCEPT + option family ipv4 + +config rule + option name CLIENTS_Allow-DNS + option src clients + option proto udp + option dest_port 53 + option target ACCEPT + config rule option name From-BACKBONE-Allow-OSPF option src backbone diff --git a/templates/gateways/sax-rgs-gw-core01/etc/config/network b/templates/gateways/sax-rgs-gw-core01/etc/config/network index 99bce33..13a2916 100644 --- a/templates/gateways/sax-rgs-gw-core01/etc/config/network +++ b/templates/gateways/sax-rgs-gw-core01/etc/config/network @@ -71,6 +71,12 @@ config interface 'wan6' option device 'switch.3' option proto 'dhcpv6' +config interface 'clients' + option device 'switch.2' + option proto 'static' + option ipaddr '10.86.4.1' + option netmask '255.255.252.0' + config interface 'backoffice' option device 'switch.8' option proto 'static' @@ -93,3 +99,43 @@ config wireguard_wg3 'eap_adp_jump01' option route_allowed_ips '0' option persistent_keepalive 15 list allowed_ips '0.0.0.0/0' + +config interface 'wg4' + option proto 'wireguard' + option private_key "{{ lookup('passwordstore', 'wg/wg4/sax-rgs-gw-core01') }}" + list addresses 'fe80:2131:27:189::2/64' + option disabled '0' + +# routes 2a0e:8f02:f000:2e61::1/64 to the link-local of wg4 +config wireguard_wg4 'core_mowoe_com' + option public_key "{{ lookup('passwordstore', 'wg/wg4/core.mowoe.com.pub') }}" + option endpoint_host 'core.mowoe.com' + option endpoint_port '51821' + option route_allowed_ips '0' + option persistent_keepalive 15 + list allowed_ips '::/0' + +config interface 'wg5' + option ip4table 'launder' + option proto 'wireguard' + option private_key "{{ lookup('passwordstore', 'wg/wg5/sax-rgs-gw-core01') }}" + list addresses '10.67.171.28' + option disabled '0' + +config wireguard_wg5 'mullvad' + option public_key "{{ lookup('passwordstore', 'wg/wg5/mullvad.pub') }}" + option endpoint_host '146.70.117.162' + option endpoint_port '51820' + option route_allowed_ips '1' + option persistent_keepalive 15 + list allowed_ips '0.0.0.0/0' + +config rule + option in 'clients' + option lookup 'launder' + option priority 50 + +config rule + option in 'clients' + option action prohibit + option priority 51 diff --git a/templates/gateways/sax-rgs-gw-core01/etc/iproute2/rt_tables b/templates/gateways/sax-rgs-gw-core01/etc/iproute2/rt_tables new file mode 100644 index 0000000..cb61684 --- /dev/null +++ b/templates/gateways/sax-rgs-gw-core01/etc/iproute2/rt_tables @@ -0,0 +1,13 @@ +# +# reserved values +# +128 prelocal +255 local +254 main +253 default +0 unspec +20 launder +# +# local +# +#1 inr.ruhep