add ffl-ans-gw-core01

2022-11-10 01:57:56 +01:00 · 2022-11-10 01:57:56 +01:00 · 4afda5bdd9
parent 1579bbdd47
commit 4afda5bdd9
8 changed files with 525 additions and 1 deletions
--- a/3
+++ b/3
@ -32,7 +32,8 @@ ffl-ans-sw-access01       ip=10.85.1.12 base_mac=d8:ec:e5:9b:46:50
 ffl-ans-sw-access02       ip=10.85.1.13 base_mac=d8:ec:e5:9b:45:a0

 [gateways]
-gw-core01 ip=10.84.1.1
+gw-core01         ip=10.84.1.1
+ffl-ans-gw-core01 ip=10.85.1.1

 [gateways:vars]
 ansible_remote_tmp=/tmp
--- a/templates/gateways/ffl-ans-gw-core01/etc/config/dhcp
+++ b/templates/gateways/ffl-ans-gw-core01/etc/config/dhcp
@ -0,0 +1,53 @@
+
+config dnsmasq
+	option domainneeded '1'
+	option boguspriv '1'
+	option filterwin2k '0'
+	option localise_queries '1'
+	option rebind_protection '0'
+	option rebind_localhost '1'
+	option local '/lan/'
+	option domain 'lan'
+	option expandhosts '1'
+	option nonegcache '0'
+	option authoritative '1'
+	option readethers '1'
+	option leasefile '/etc/dhcp.leases'
+	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
+	option nonwildcard '1'
+	option localservice '1'
+	option ednspacket_max '1232'
+
+config dhcp 'mgmt'
+	option interface 'mgmt'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+	option dhcpv4 'server'
+	option dhcpv6 'server'
+	option ra 'server'
+	option ra_slaac '1'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'backoffice'
+	option interface 'backoffice'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+	option dhcpv4 'server'
+	option dhcpv6 'server'
+	option ra 'server'
+	option ra_slaac '1'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'wan'
+	option interface 'wan'
+	option ignore '1'
+
+config odhcpd 'odhcpd'
+	option maindhcp '0'
+	option leasefile '/tmp/hosts/odhcpd'
+	option leasetrigger '/usr/sbin/odhcpd-update'
+	option loglevel '4'
--- a/templates/gateways/ffl-ans-gw-core01/etc/config/firewall
+++ b/templates/gateways/ffl-ans-gw-core01/etc/config/firewall
@ -0,0 +1,312 @@
+config defaults
+	option syn_flood	1
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
+
+config zone
+	option name		mgmt
+	list   network		'mgmt'
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+
+config zone
+	option name		backoffice
+	list   network		'backoffice'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+
+config zone
+	option name		backbone
+	list network		wg2
+	option input		REJECT
+	option output 		ACCEPT
+	option forward		REJECT
+
+config zone
+	option name		wan
+	list   network		'wan'
+	list   network		'wan6'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq		1
+	option mtu_fix		1
+
+config forwarding
+	option src		mgmt
+	option dest		wan
+
+config forwarding
+	option src		backoffice
+	option dest		wan
+
+config rule
+	option name		From-BACKBONE-Allow-OSPF
+	option src		backbone
+	option proto		ospf
+	option target		ACCEPT
+
+config rule
+	option name		From-Any-Allow-SSH
+	option src		*
+	option proto		tcp
+	option dest_port	22
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-SSH
+	option src		*
+	option dest		mgmt
+	option proto		tcp
+	option dest_port	22
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-ICMP
+	option src		*
+	option dest		mgmt
+	option proto		icmp
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-Prometheus
+	option src		*
+	option dest		mgmt
+	option proto		tcp
+	option dest_port	9100
+	option target		ACCEPT
+
+config rule
+	option name		From-MGMT-Into-BACKBONE-Allow-Prometheus
+	option src		mgmt
+	option dest		backbone
+	option proto		tcp
+	option dest_port	9100
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-Prometheus-WebGUI-On-monitoring01
+	option src		*
+	option dest		mgmt
+	option proto		tcp
+	option dest_ip		10.84.1.51
+	option dest_port	9090
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-Grafana-WebGUI-On-monitoring01
+	option src		*
+	option dest		mgmt
+	option proto		tcp
+	option dest_ip		10.84.1.51
+	option dest_port	3000
+	option target		ACCEPT
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option name		Allow-DHCP-Renew
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family		ipv4
+
+# Allow IPv4 ping
+config rule
+	option name		Allow-Ping
+	option src		*
+	option proto		icmp
+	option icmp_type	echo-request
+	option family		ipv4
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IGMP
+	option src		wan
+	option proto		igmp
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+	option name		Allow-DHCPv6
+	option src		wan
+	option proto		udp
+	option src_ip		fc00::/6
+	option dest_ip		fc00::/6
+	option dest_port	546
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-MLD
+	option src		wan
+	option proto		icmp
+	option src_ip		fe80::/10
+	list icmp_type		'130/0'
+	list icmp_type		'131/0'
+	list icmp_type		'132/0'
+	list icmp_type		'143/0'
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Input
+	option src		wan
+	option proto	icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	list icmp_type		router-solicitation
+	list icmp_type		neighbour-solicitation
+	list icmp_type		router-advertisement
+	list icmp_type		neighbour-advertisement
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Forward
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IPSec-ESP
+	option src		wan
+	option dest		backoffice
+	option proto		esp
+	option target		ACCEPT
+
+config rule
+	option name		Allow-ISAKMP
+	option src		wan
+	option dest		backoffice
+	option dest_port	500
+	option proto		udp
+	option target		ACCEPT
+
+config rule
+	option name		WAN_Allow-SSH
+	option src		wan
+	option dest_port	22
+	option proto		tcp
+	option target		ACCEPT
+
+# allow interoperability with traceroute classic
+# note that traceroute uses a fixed port range, and depends on getting
+# back ICMP Unreachables.  if we're operating in DROP mode, it won't
+# work so we explicitly REJECT packets on these ports.
+config rule
+	option name		Support-UDP-Traceroute
+	option src		wan
+	option dest_port	33434:33689
+	option proto		udp
+	option family		ipv4
+	option target		REJECT
+	option enabled		false
+
+config rule
+	option name		BACKOFFICE_Allow-DHCP
+	option src		backoffice
+	option proto		udp
+	option dest_port	67-68
+	option target		ACCEPT
+	option family		ipv4
+
+config rule
+	option name		BACKOFFICE_Allow-DNS
+	option src		backoffice
+	option proto		udp
+	option dest_port	53
+	option target		ACCEPT
+	option family		ipv4
+
+
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#	option src		mgmt
+#	option src_ip	192.168.45.2
+#	option dest		wan
+#	option proto	tcp
+#	option target	REJECT
+
+# block a specific mac on wan
+#config rule
+#	option dest		wan
+#	option src_mac	00:11:22:33:44:66
+#	option target	REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+#	option src		mgmt
+#	option proto	ICMP
+#	option target	DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+#	option src			wan
+#	option src_dport	80
+#	option dest			lan
+#	option dest_ip		192.168.16.235
+#	option dest_port	80
+#	option proto		tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
+
+### FULL CONFIG SECTIONS
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port	80
+#	option dest		wan
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
+#	option target	REJECT
+
+#config redirect
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port		1024
+#	option src_dport	80
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
--- a/templates/gateways/ffl-ans-gw-core01/etc/config/network
+++ b/templates/gateways/ffl-ans-gw-core01/etc/config/network
@ -0,0 +1,68 @@
+
+config interface 'loopback'
+        option device 'lo'
+        option proto 'static'
+        option ipaddr '127.0.0.1'
+        option netmask '255.0.0.0'
+
+config globals 'globals'
+        option packet_steering '1'
+        option ula_prefix 'fd36:4280:eae3::/48'
+
+config device 'switch'
+        option name 'switch'
+        option type 'bridge'
+        option vlan_filtering 1
+        list ports 'eth0'
+        list ports 'eth1'
+        list ports 'eth2'
+        list ports 'eth3'
+
+config bridge-vlan 'mgmt_vlan'
+        option vlan '1'
+        option device 'switch'
+        list ports 'eth1:u*'
+        list ports 'eth2:u*'
+        list ports 'eth3:u*'
+
+config bridge-vlan 'clients_vlan'
+        option vlan '2'
+        option device 'switch'
+        list ports 'eth1:t'
+        list ports 'eth2:t'
+        list ports 'eth3:t'
+
+config bridge-vlan 'wan_vlan'
+        option vlan '3'
+        option device 'switch'
+        list ports 'eth0:u*'
+        list ports 'eth1:t'
+        list ports 'eth2:t'
+        list ports 'eth3:t'
+
+config bridge-vlan 'backoffice_vlan'
+        option vlan '8'
+        option device 'switch'
+        list ports 'eth1:t'
+        list ports 'eth2:t'
+        list ports 'eth3:t'
+
+config interface 'mgmt'
+        option device 'switch.1'
+        option proto 'static'
+        option ipaddr '10.85.1.1'
+        option netmask '255.255.255.0'
+
+config interface 'wan'
+        option device 'switch.3'
+        option proto 'dhcp'
+
+config interface 'wan6'
+        option device 'switch.3'
+        option proto 'dhcpv6'
+
+config interface 'backoffice'
+        option device 'switch.8'
+        option proto 'static'
+        option ipaddr '10.85.8.1'
+        option netmask '255.255.255.0'
--- a/templates/gateways/ffl-ans-gw-core01/etc/config/prometheus-node-exporter-lua
+++ b/templates/gateways/ffl-ans-gw-core01/etc/config/prometheus-node-exporter-lua
@ -0,0 +1,4 @@
+config prometheus-node-exporter-lua 'main'
+	option listen_interface 'mgmt'
+	option listen_ipv6 '0'
+	option listen_port '9100'
--- a/templates/gateways/ffl-ans-gw-core01/etc/config/system
+++ b/templates/gateways/ffl-ans-gw-core01/etc/config/system
@ -0,0 +1,16 @@
+
+config system
+	option hostname '{{ inventory_hostname }}'
+	option timezone 'CET-1CEST,M3.5.0,M10.5.0/3' # Europe/Berlin
+	option ttylogin '0'
+	option log_size '64'
+	option urandom_seed '0'
+	option compat_version '1.1'
+
+config timeserver 'ntp'
+	option enabled '1'
+	option enable_server '0'
+	list server '0.openwrt.pool.ntp.org'
+	list server '1.openwrt.pool.ntp.org'
+	list server '2.openwrt.pool.ntp.org'
+	list server '3.openwrt.pool.ntp.org'
--- a/templates/gateways/ffl-ans-gw-core01/etc/frr/daemons
+++ b/templates/gateways/ffl-ans-gw-core01/etc/frr/daemons
@ -0,0 +1,54 @@
+# The staticd,watchfrr and zebra daemons are always started.
+#
+bgpd=no
+ospfd=yes
+#ospfd_instances=1,20
+ospf6d=no
+ripd=no
+ripngd=no
+isisd=no
+pimd=no
+ldpd=no
+nhrpd=no
+eigrpd=no
+babeld=no
+sharpd=no
+pbrd=no
+bfdd=no
+fabricd=no
+vrrpd=no
+
+#
+# If this option is set the /etc/init.d/frr script automatically loads
+# the config via "vtysh -b" when the servers are started.
+# Check /etc/pam.d/frr if you intend to use "vtysh"!
+#
+vtysh_enable=yes
+zebra_options="  -A 127.0.0.1 -s 90000000"
+bgpd_options="   -A 127.0.0.1"
+ospfd_options="  -A 127.0.0.1"
+ospf6d_options=" -A ::1"
+ripd_options="   -A 127.0.0.1"
+ripngd_options=" -A ::1"
+isisd_options="  -A 127.0.0.1"
+pimd_options="   -A 127.0.0.1"
+ldpd_options="   -A 127.0.0.1"
+nhrpd_options="  -A 127.0.0.1"
+eigrpd_options=" -A 127.0.0.1"
+babeld_options=" -A 127.0.0.1"
+sharpd_options=" -A 127.0.0.1"
+pbrd_options="   -A 127.0.0.1"
+staticd_options="-A 127.0.0.1"
+bfdd_options="   -A 127.0.0.1"
+fabricd_options="-A 127.0.0.1"
+vrrpd_options="  -A 127.0.0.1"
+
+# The list of daemons to watch is automatically generated by the init script.
+#watchfrr_options=""
+
+# for debugging purposes, you can specify a "wrap" command to start instead
+# of starting the daemon directly, e.g. to use valgrind on ospfd:
+#   ospfd_wrap="/usr/bin/valgrind"
+# or you can use "all_wrap" for all daemons, e.g. to use perf record:
+#   all_wrap="/usr/bin/perf record --call-graph -"
+# the normal daemon command is added to this at the end.
--- a/templates/gateways/ffl-ans-gw-core01/etc/frr/frr.conf
+++ b/templates/gateways/ffl-ans-gw-core01/etc/frr/frr.conf
@ -0,0 +1,16 @@
+password zebra
+!
+router ospf
+  redistribute connected
+!
+log syslog
+!
+interface wg2
+  ip ospf area 0
+  ip ospf network point-to-point
+!
+access-list vty permit 127.0.0.0/8
+access-list vty deny any
+!
+line vty
+ access-class vty