sax-rgs-gw-core01: configure backbone

2023-01-10 01:46:55 +01:00 · 2023-01-10 01:46:55 +01:00 · 77454046b8
parent a837a2b916
commit 77454046b8
3 changed files with 46 additions and 10 deletions
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/firewall
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/firewall
@ -20,6 +20,34 @@ config zone
 	option output		ACCEPT
 	option forward		REJECT

+config zone
+	option name		backbone
+	list network		wg3
+	option input		REJECT
+	option output 		ACCEPT
+	option forward		REJECT
+
+config rule
+	option name		From-BACKBONE-Allow-OSPF
+	option src		backbone
+	option proto		ospf
+	option target		ACCEPT
+
+config rule
+	option name		From-BACKBONE-Allow-Prometheus
+	option src		backbone
+	option proto		tcp
+	option dest_port	9100
+	option target		ACCEPT
+
+config rule
+	option name		From-BACKBONE-Into-MGMT-Allow-SNMP
+	option src		backbone
+	option dest		mgmt
+	option proto		udp
+	option dest_port	161
+	option target		ACCEPT
+
 config rule
 	option name		From-Any-Allow-SSH
 	option src		*
@ -50,6 +78,14 @@ config rule
 	option dest_port	9100
 	option target		ACCEPT

+config rule
+	option name		From-MGMT-Into-BACKBONE-Allow-Prometheus
+	option src		mgmt
+	option dest		backbone
+	option proto		tcp
+	option dest_port	9100
+	option target		ACCEPT
+
 config rule
 	option name		Into-MGMT-Allow-Prometheus-WebGUI-On-monitoring01
 	option src		*
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/network
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/network
@ -79,19 +79,19 @@ config interface 'backoffice'
        option ipaddr '10.86.8.1'
        option netmask '255.255.255.0'

-config interface 'wg0'
+config interface 'wg3'
        option proto 'wireguard'
-        option private_key "{{ lookup('passwordstore', 'wg/wg0/gw-core01') }}"
-        option listen_port 51820
+        option private_key "{{ lookup('passwordstore', 'wg/wg3/sax-rgs-gw-core01') }}"
+        option listen_port 51823
        option mtu 1350
-        list addresses '10.84.254.1/31'
-	option disabled '1'
+        list addresses '10.86.254.1/31'
+	option disabled '0'

-config wireguard_wg0 'eap_adp_jump01'
-        option public_key "{{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01.pub') }}"
-        option preshared_key "{{ lookup('passwordstore', 'wg/wg0/psk') }}"
+config wireguard_wg3 'eap_adp_jump01'
+        option public_key "{{ lookup('passwordstore', 'wg/wg3/eae-adp-jump01.pub') }}"
+        option preshared_key "{{ lookup('passwordstore', 'wg/wg3/psk') }}"
        option endpoint_host '162.55.53.85'
-        option endpoint_port '51820'
+        option endpoint_port '51823'
        option route_allowed_ips '0'
        option persistent_keepalive 15
        list allowed_ips '0.0.0.0/0'
--- a/templates/gateways/sax-rgs-gw-core01/etc/frr/frr.conf
+++ b/templates/gateways/sax-rgs-gw-core01/etc/frr/frr.conf
@ -5,7 +5,7 @@ router ospf
 !
 log syslog
 !
-interface wg0
+interface wg3
  ip ospf area 0
  ip ospf network point-to-point
 !