add ffl-ans-gw-core01
This commit is contained in:
parent
1579bbdd47
commit
4afda5bdd9
|
@ -32,7 +32,8 @@ ffl-ans-sw-access01 ip=10.85.1.12 base_mac=d8:ec:e5:9b:46:50
|
|||
ffl-ans-sw-access02 ip=10.85.1.13 base_mac=d8:ec:e5:9b:45:a0
|
||||
|
||||
[gateways]
|
||||
gw-core01 ip=10.84.1.1
|
||||
gw-core01 ip=10.84.1.1
|
||||
ffl-ans-gw-core01 ip=10.85.1.1
|
||||
|
||||
[gateways:vars]
|
||||
ansible_remote_tmp=/tmp
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
|
||||
config dnsmasq
|
||||
option domainneeded '1'
|
||||
option boguspriv '1'
|
||||
option filterwin2k '0'
|
||||
option localise_queries '1'
|
||||
option rebind_protection '0'
|
||||
option rebind_localhost '1'
|
||||
option local '/lan/'
|
||||
option domain 'lan'
|
||||
option expandhosts '1'
|
||||
option nonegcache '0'
|
||||
option authoritative '1'
|
||||
option readethers '1'
|
||||
option leasefile '/etc/dhcp.leases'
|
||||
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
|
||||
option nonwildcard '1'
|
||||
option localservice '1'
|
||||
option ednspacket_max '1232'
|
||||
|
||||
config dhcp 'mgmt'
|
||||
option interface 'mgmt'
|
||||
option start '100'
|
||||
option limit '150'
|
||||
option leasetime '12h'
|
||||
option dhcpv4 'server'
|
||||
option dhcpv6 'server'
|
||||
option ra 'server'
|
||||
option ra_slaac '1'
|
||||
list ra_flags 'managed-config'
|
||||
list ra_flags 'other-config'
|
||||
|
||||
config dhcp 'backoffice'
|
||||
option interface 'backoffice'
|
||||
option start '100'
|
||||
option limit '150'
|
||||
option leasetime '12h'
|
||||
option dhcpv4 'server'
|
||||
option dhcpv6 'server'
|
||||
option ra 'server'
|
||||
option ra_slaac '1'
|
||||
list ra_flags 'managed-config'
|
||||
list ra_flags 'other-config'
|
||||
|
||||
config dhcp 'wan'
|
||||
option interface 'wan'
|
||||
option ignore '1'
|
||||
|
||||
config odhcpd 'odhcpd'
|
||||
option maindhcp '0'
|
||||
option leasefile '/tmp/hosts/odhcpd'
|
||||
option leasetrigger '/usr/sbin/odhcpd-update'
|
||||
option loglevel '4'
|
|
@ -0,0 +1,312 @@
|
|||
config defaults
|
||||
option syn_flood 1
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
# Uncomment this line to disable ipv6 rules
|
||||
# option disable_ipv6 1
|
||||
|
||||
config zone
|
||||
option name mgmt
|
||||
list network 'mgmt'
|
||||
option input ACCEPT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name backoffice
|
||||
list network 'backoffice'
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name backbone
|
||||
list network wg2
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name wan
|
||||
list network 'wan'
|
||||
list network 'wan6'
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
option masq 1
|
||||
option mtu_fix 1
|
||||
|
||||
config forwarding
|
||||
option src mgmt
|
||||
option dest wan
|
||||
|
||||
config forwarding
|
||||
option src backoffice
|
||||
option dest wan
|
||||
|
||||
config rule
|
||||
option name From-BACKBONE-Allow-OSPF
|
||||
option src backbone
|
||||
option proto ospf
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name From-Any-Allow-SSH
|
||||
option src *
|
||||
option proto tcp
|
||||
option dest_port 22
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-SSH
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_port 22
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-ICMP
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto icmp
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-Prometheus
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_port 9100
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name From-MGMT-Into-BACKBONE-Allow-Prometheus
|
||||
option src mgmt
|
||||
option dest backbone
|
||||
option proto tcp
|
||||
option dest_port 9100
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-Prometheus-WebGUI-On-monitoring01
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_ip 10.84.1.51
|
||||
option dest_port 9090
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-Grafana-WebGUI-On-monitoring01
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_ip 10.84.1.51
|
||||
option dest_port 3000
|
||||
option target ACCEPT
|
||||
|
||||
# We need to accept udp packets on port 68,
|
||||
# see https://dev.openwrt.org/ticket/4108
|
||||
config rule
|
||||
option name Allow-DHCP-Renew
|
||||
option src wan
|
||||
option proto udp
|
||||
option dest_port 68
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
# Allow IPv4 ping
|
||||
config rule
|
||||
option name Allow-Ping
|
||||
option src *
|
||||
option proto icmp
|
||||
option icmp_type echo-request
|
||||
option family ipv4
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-IGMP
|
||||
option src wan
|
||||
option proto igmp
|
||||
option family ipv4
|
||||
option target ACCEPT
|
||||
|
||||
# Allow DHCPv6 replies
|
||||
# see https://dev.openwrt.org/ticket/10381
|
||||
config rule
|
||||
option name Allow-DHCPv6
|
||||
option src wan
|
||||
option proto udp
|
||||
option src_ip fc00::/6
|
||||
option dest_ip fc00::/6
|
||||
option dest_port 546
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-MLD
|
||||
option src wan
|
||||
option proto icmp
|
||||
option src_ip fe80::/10
|
||||
list icmp_type '130/0'
|
||||
list icmp_type '131/0'
|
||||
list icmp_type '132/0'
|
||||
list icmp_type '143/0'
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
# Allow essential incoming IPv6 ICMP traffic
|
||||
config rule
|
||||
option name Allow-ICMPv6-Input
|
||||
option src wan
|
||||
option proto icmp
|
||||
list icmp_type echo-request
|
||||
list icmp_type echo-reply
|
||||
list icmp_type destination-unreachable
|
||||
list icmp_type packet-too-big
|
||||
list icmp_type time-exceeded
|
||||
list icmp_type bad-header
|
||||
list icmp_type unknown-header-type
|
||||
list icmp_type router-solicitation
|
||||
list icmp_type neighbour-solicitation
|
||||
list icmp_type router-advertisement
|
||||
list icmp_type neighbour-advertisement
|
||||
option limit 1000/sec
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
# Allow essential forwarded IPv6 ICMP traffic
|
||||
config rule
|
||||
option name Allow-ICMPv6-Forward
|
||||
option src wan
|
||||
option dest *
|
||||
option proto icmp
|
||||
list icmp_type echo-request
|
||||
list icmp_type echo-reply
|
||||
list icmp_type destination-unreachable
|
||||
list icmp_type packet-too-big
|
||||
list icmp_type time-exceeded
|
||||
list icmp_type bad-header
|
||||
list icmp_type unknown-header-type
|
||||
option limit 1000/sec
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-IPSec-ESP
|
||||
option src wan
|
||||
option dest backoffice
|
||||
option proto esp
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-ISAKMP
|
||||
option src wan
|
||||
option dest backoffice
|
||||
option dest_port 500
|
||||
option proto udp
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name WAN_Allow-SSH
|
||||
option src wan
|
||||
option dest_port 22
|
||||
option proto tcp
|
||||
option target ACCEPT
|
||||
|
||||
# allow interoperability with traceroute classic
|
||||
# note that traceroute uses a fixed port range, and depends on getting
|
||||
# back ICMP Unreachables. if we're operating in DROP mode, it won't
|
||||
# work so we explicitly REJECT packets on these ports.
|
||||
config rule
|
||||
option name Support-UDP-Traceroute
|
||||
option src wan
|
||||
option dest_port 33434:33689
|
||||
option proto udp
|
||||
option family ipv4
|
||||
option target REJECT
|
||||
option enabled false
|
||||
|
||||
config rule
|
||||
option name BACKOFFICE_Allow-DHCP
|
||||
option src backoffice
|
||||
option proto udp
|
||||
option dest_port 67-68
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
config rule
|
||||
option name BACKOFFICE_Allow-DNS
|
||||
option src backoffice
|
||||
option proto udp
|
||||
option dest_port 53
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
|
||||
# include a file with users custom iptables rules
|
||||
config include
|
||||
option path /etc/firewall.user
|
||||
|
||||
|
||||
### EXAMPLE CONFIG SECTIONS
|
||||
# do not allow a specific ip to access wan
|
||||
#config rule
|
||||
# option src mgmt
|
||||
# option src_ip 192.168.45.2
|
||||
# option dest wan
|
||||
# option proto tcp
|
||||
# option target REJECT
|
||||
|
||||
# block a specific mac on wan
|
||||
#config rule
|
||||
# option dest wan
|
||||
# option src_mac 00:11:22:33:44:66
|
||||
# option target REJECT
|
||||
|
||||
# block incoming ICMP traffic on a zone
|
||||
#config rule
|
||||
# option src mgmt
|
||||
# option proto ICMP
|
||||
# option target DROP
|
||||
|
||||
# port redirect port coming in on wan to lan
|
||||
#config redirect
|
||||
# option src wan
|
||||
# option src_dport 80
|
||||
# option dest lan
|
||||
# option dest_ip 192.168.16.235
|
||||
# option dest_port 80
|
||||
# option proto tcp
|
||||
|
||||
# port redirect of remapped ssh port (22001) on wan
|
||||
#config redirect
|
||||
# option src wan
|
||||
# option src_dport 22001
|
||||
# option dest lan
|
||||
# option dest_port 22
|
||||
# option proto tcp
|
||||
|
||||
### FULL CONFIG SECTIONS
|
||||
#config rule
|
||||
# option src lan
|
||||
# option src_ip 192.168.45.2
|
||||
# option src_mac 00:11:22:33:44:55
|
||||
# option src_port 80
|
||||
# option dest wan
|
||||
# option dest_ip 194.25.2.129
|
||||
# option dest_port 120
|
||||
# option proto tcp
|
||||
# option target REJECT
|
||||
|
||||
#config redirect
|
||||
# option src lan
|
||||
# option src_ip 192.168.45.2
|
||||
# option src_mac 00:11:22:33:44:55
|
||||
# option src_port 1024
|
||||
# option src_dport 80
|
||||
# option dest_ip 194.25.2.129
|
||||
# option dest_port 120
|
||||
# option proto tcp
|
|
@ -0,0 +1,68 @@
|
|||
|
||||
config interface 'loopback'
|
||||
option device 'lo'
|
||||
option proto 'static'
|
||||
option ipaddr '127.0.0.1'
|
||||
option netmask '255.0.0.0'
|
||||
|
||||
config globals 'globals'
|
||||
option packet_steering '1'
|
||||
option ula_prefix 'fd36:4280:eae3::/48'
|
||||
|
||||
config device 'switch'
|
||||
option name 'switch'
|
||||
option type 'bridge'
|
||||
option vlan_filtering 1
|
||||
list ports 'eth0'
|
||||
list ports 'eth1'
|
||||
list ports 'eth2'
|
||||
list ports 'eth3'
|
||||
|
||||
config bridge-vlan 'mgmt_vlan'
|
||||
option vlan '1'
|
||||
option device 'switch'
|
||||
list ports 'eth1:u*'
|
||||
list ports 'eth2:u*'
|
||||
list ports 'eth3:u*'
|
||||
|
||||
config bridge-vlan 'clients_vlan'
|
||||
option vlan '2'
|
||||
option device 'switch'
|
||||
list ports 'eth1:t'
|
||||
list ports 'eth2:t'
|
||||
list ports 'eth3:t'
|
||||
|
||||
config bridge-vlan 'wan_vlan'
|
||||
option vlan '3'
|
||||
option device 'switch'
|
||||
list ports 'eth0:u*'
|
||||
list ports 'eth1:t'
|
||||
list ports 'eth2:t'
|
||||
list ports 'eth3:t'
|
||||
|
||||
config bridge-vlan 'backoffice_vlan'
|
||||
option vlan '8'
|
||||
option device 'switch'
|
||||
list ports 'eth1:t'
|
||||
list ports 'eth2:t'
|
||||
list ports 'eth3:t'
|
||||
|
||||
config interface 'mgmt'
|
||||
option device 'switch.1'
|
||||
option proto 'static'
|
||||
option ipaddr '10.85.1.1'
|
||||
option netmask '255.255.255.0'
|
||||
|
||||
config interface 'wan'
|
||||
option device 'switch.3'
|
||||
option proto 'dhcp'
|
||||
|
||||
config interface 'wan6'
|
||||
option device 'switch.3'
|
||||
option proto 'dhcpv6'
|
||||
|
||||
config interface 'backoffice'
|
||||
option device 'switch.8'
|
||||
option proto 'static'
|
||||
option ipaddr '10.85.8.1'
|
||||
option netmask '255.255.255.0'
|
|
@ -0,0 +1,4 @@
|
|||
config prometheus-node-exporter-lua 'main'
|
||||
option listen_interface 'mgmt'
|
||||
option listen_ipv6 '0'
|
||||
option listen_port '9100'
|
|
@ -0,0 +1,16 @@
|
|||
|
||||
config system
|
||||
option hostname '{{ inventory_hostname }}'
|
||||
option timezone 'CET-1CEST,M3.5.0,M10.5.0/3' # Europe/Berlin
|
||||
option ttylogin '0'
|
||||
option log_size '64'
|
||||
option urandom_seed '0'
|
||||
option compat_version '1.1'
|
||||
|
||||
config timeserver 'ntp'
|
||||
option enabled '1'
|
||||
option enable_server '0'
|
||||
list server '0.openwrt.pool.ntp.org'
|
||||
list server '1.openwrt.pool.ntp.org'
|
||||
list server '2.openwrt.pool.ntp.org'
|
||||
list server '3.openwrt.pool.ntp.org'
|
|
@ -0,0 +1,54 @@
|
|||
# The staticd,watchfrr and zebra daemons are always started.
|
||||
#
|
||||
bgpd=no
|
||||
ospfd=yes
|
||||
#ospfd_instances=1,20
|
||||
ospf6d=no
|
||||
ripd=no
|
||||
ripngd=no
|
||||
isisd=no
|
||||
pimd=no
|
||||
ldpd=no
|
||||
nhrpd=no
|
||||
eigrpd=no
|
||||
babeld=no
|
||||
sharpd=no
|
||||
pbrd=no
|
||||
bfdd=no
|
||||
fabricd=no
|
||||
vrrpd=no
|
||||
|
||||
#
|
||||
# If this option is set the /etc/init.d/frr script automatically loads
|
||||
# the config via "vtysh -b" when the servers are started.
|
||||
# Check /etc/pam.d/frr if you intend to use "vtysh"!
|
||||
#
|
||||
vtysh_enable=yes
|
||||
zebra_options=" -A 127.0.0.1 -s 90000000"
|
||||
bgpd_options=" -A 127.0.0.1"
|
||||
ospfd_options=" -A 127.0.0.1"
|
||||
ospf6d_options=" -A ::1"
|
||||
ripd_options=" -A 127.0.0.1"
|
||||
ripngd_options=" -A ::1"
|
||||
isisd_options=" -A 127.0.0.1"
|
||||
pimd_options=" -A 127.0.0.1"
|
||||
ldpd_options=" -A 127.0.0.1"
|
||||
nhrpd_options=" -A 127.0.0.1"
|
||||
eigrpd_options=" -A 127.0.0.1"
|
||||
babeld_options=" -A 127.0.0.1"
|
||||
sharpd_options=" -A 127.0.0.1"
|
||||
pbrd_options=" -A 127.0.0.1"
|
||||
staticd_options="-A 127.0.0.1"
|
||||
bfdd_options=" -A 127.0.0.1"
|
||||
fabricd_options="-A 127.0.0.1"
|
||||
vrrpd_options=" -A 127.0.0.1"
|
||||
|
||||
# The list of daemons to watch is automatically generated by the init script.
|
||||
#watchfrr_options=""
|
||||
|
||||
# for debugging purposes, you can specify a "wrap" command to start instead
|
||||
# of starting the daemon directly, e.g. to use valgrind on ospfd:
|
||||
# ospfd_wrap="/usr/bin/valgrind"
|
||||
# or you can use "all_wrap" for all daemons, e.g. to use perf record:
|
||||
# all_wrap="/usr/bin/perf record --call-graph -"
|
||||
# the normal daemon command is added to this at the end.
|
|
@ -0,0 +1,16 @@
|
|||
password zebra
|
||||
!
|
||||
router ospf
|
||||
redistribute connected
|
||||
!
|
||||
log syslog
|
||||
!
|
||||
interface wg2
|
||||
ip ospf area 0
|
||||
ip ospf network point-to-point
|
||||
!
|
||||
access-list vty permit 127.0.0.0/8
|
||||
access-list vty deny any
|
||||
!
|
||||
line vty
|
||||
access-class vty
|
Reference in New Issue