sax-rgs-gw-core01: add laundering client network
v4 works, v6 is still a work in progress launder: * v4 through mullvad * v6 through mowoe
This commit is contained in:
parent
c7989547aa
commit
473d7aa05a
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -30,6 +30,22 @@ config dhcp 'mgmt'
|
||||||
list ra_flags 'managed-config'
|
list ra_flags 'managed-config'
|
||||||
list ra_flags 'other-config'
|
list ra_flags 'other-config'
|
||||||
|
|
||||||
|
config dhcp 'clients'
|
||||||
|
option interface 'clients'
|
||||||
|
# from: 10.86.4.2
|
||||||
|
# to: 10.86.7.254
|
||||||
|
# start: 2
|
||||||
|
# limit: 1020
|
||||||
|
option start '2'
|
||||||
|
option limit '1020'
|
||||||
|
option leasetime '12h'
|
||||||
|
option dhcpv4 'server'
|
||||||
|
option dhcpv6 'server'
|
||||||
|
option ra 'server'
|
||||||
|
option ra_slaac '1'
|
||||||
|
list ra_flags 'managed-config'
|
||||||
|
list ra_flags 'other-config'
|
||||||
|
|
||||||
config dhcp 'backoffice'
|
config dhcp 'backoffice'
|
||||||
option interface 'backoffice'
|
option interface 'backoffice'
|
||||||
option start '100'
|
option start '100'
|
||||||
|
|
|
@ -13,6 +13,13 @@ config zone
|
||||||
option output ACCEPT
|
option output ACCEPT
|
||||||
option forward REJECT
|
option forward REJECT
|
||||||
|
|
||||||
|
config zone
|
||||||
|
option name clients
|
||||||
|
list network clients
|
||||||
|
option input REJECT
|
||||||
|
option output ACCEPT
|
||||||
|
option forward REJECT
|
||||||
|
|
||||||
config zone
|
config zone
|
||||||
option name backoffice
|
option name backoffice
|
||||||
list network 'backoffice'
|
list network 'backoffice'
|
||||||
|
@ -20,6 +27,20 @@ config zone
|
||||||
option output ACCEPT
|
option output ACCEPT
|
||||||
option forward REJECT
|
option forward REJECT
|
||||||
|
|
||||||
|
config zone
|
||||||
|
option name launder
|
||||||
|
list network wg4
|
||||||
|
list network wg5
|
||||||
|
option input REJECT
|
||||||
|
option output ACCEPT
|
||||||
|
option forward REJECT
|
||||||
|
option masq 1
|
||||||
|
option mtu_fix 1
|
||||||
|
|
||||||
|
config forwarding
|
||||||
|
option src clients
|
||||||
|
option dest launder
|
||||||
|
|
||||||
config zone
|
config zone
|
||||||
option name backbone
|
option name backbone
|
||||||
list network wg3
|
list network wg3
|
||||||
|
@ -27,6 +48,21 @@ config zone
|
||||||
option output ACCEPT
|
option output ACCEPT
|
||||||
option forward REJECT
|
option forward REJECT
|
||||||
|
|
||||||
|
config rule
|
||||||
|
option name CLIENTS_Allow-DHCP
|
||||||
|
option src clients
|
||||||
|
option proto udp
|
||||||
|
option dest_port 67-68
|
||||||
|
option target ACCEPT
|
||||||
|
option family ipv4
|
||||||
|
|
||||||
|
config rule
|
||||||
|
option name CLIENTS_Allow-DNS
|
||||||
|
option src clients
|
||||||
|
option proto udp
|
||||||
|
option dest_port 53
|
||||||
|
option target ACCEPT
|
||||||
|
|
||||||
config rule
|
config rule
|
||||||
option name From-BACKBONE-Allow-OSPF
|
option name From-BACKBONE-Allow-OSPF
|
||||||
option src backbone
|
option src backbone
|
||||||
|
|
|
@ -71,6 +71,12 @@ config interface 'wan6'
|
||||||
option device 'switch.3'
|
option device 'switch.3'
|
||||||
option proto 'dhcpv6'
|
option proto 'dhcpv6'
|
||||||
|
|
||||||
|
config interface 'clients'
|
||||||
|
option device 'switch.2'
|
||||||
|
option proto 'static'
|
||||||
|
option ipaddr '10.86.4.1'
|
||||||
|
option netmask '255.255.252.0'
|
||||||
|
|
||||||
config interface 'backoffice'
|
config interface 'backoffice'
|
||||||
option device 'switch.8'
|
option device 'switch.8'
|
||||||
option proto 'static'
|
option proto 'static'
|
||||||
|
@ -93,3 +99,43 @@ config wireguard_wg3 'eap_adp_jump01'
|
||||||
option route_allowed_ips '0'
|
option route_allowed_ips '0'
|
||||||
option persistent_keepalive 15
|
option persistent_keepalive 15
|
||||||
list allowed_ips '0.0.0.0/0'
|
list allowed_ips '0.0.0.0/0'
|
||||||
|
|
||||||
|
config interface 'wg4'
|
||||||
|
option proto 'wireguard'
|
||||||
|
option private_key "{{ lookup('passwordstore', 'wg/wg4/sax-rgs-gw-core01') }}"
|
||||||
|
list addresses 'fe80:2131:27:189::2/64'
|
||||||
|
option disabled '0'
|
||||||
|
|
||||||
|
# routes 2a0e:8f02:f000:2e61::1/64 to the link-local of wg4
|
||||||
|
config wireguard_wg4 'core_mowoe_com'
|
||||||
|
option public_key "{{ lookup('passwordstore', 'wg/wg4/core.mowoe.com.pub') }}"
|
||||||
|
option endpoint_host 'core.mowoe.com'
|
||||||
|
option endpoint_port '51821'
|
||||||
|
option route_allowed_ips '0'
|
||||||
|
option persistent_keepalive 15
|
||||||
|
list allowed_ips '::/0'
|
||||||
|
|
||||||
|
config interface 'wg5'
|
||||||
|
option ip4table 'launder'
|
||||||
|
option proto 'wireguard'
|
||||||
|
option private_key "{{ lookup('passwordstore', 'wg/wg5/sax-rgs-gw-core01') }}"
|
||||||
|
list addresses '10.67.171.28'
|
||||||
|
option disabled '0'
|
||||||
|
|
||||||
|
config wireguard_wg5 'mullvad'
|
||||||
|
option public_key "{{ lookup('passwordstore', 'wg/wg5/mullvad.pub') }}"
|
||||||
|
option endpoint_host '146.70.117.162'
|
||||||
|
option endpoint_port '51820'
|
||||||
|
option route_allowed_ips '1'
|
||||||
|
option persistent_keepalive 15
|
||||||
|
list allowed_ips '0.0.0.0/0'
|
||||||
|
|
||||||
|
config rule
|
||||||
|
option in 'clients'
|
||||||
|
option lookup 'launder'
|
||||||
|
option priority 50
|
||||||
|
|
||||||
|
config rule
|
||||||
|
option in 'clients'
|
||||||
|
option action prohibit
|
||||||
|
option priority 51
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
#
|
||||||
|
# reserved values
|
||||||
|
#
|
||||||
|
128 prelocal
|
||||||
|
255 local
|
||||||
|
254 main
|
||||||
|
253 default
|
||||||
|
0 unspec
|
||||||
|
20 launder
|
||||||
|
#
|
||||||
|
# local
|
||||||
|
#
|
||||||
|
#1 inr.ruhep
|
Reference in New Issue