From 77454046b845870f30be0bb50b523bf282333af9 Mon Sep 17 00:00:00 2001 From: Gregor Michels Date: Tue, 10 Jan 2023 01:46:55 +0100 Subject: [PATCH] sax-rgs-gw-core01: configure backbone --- .../sax-rgs-gw-core01/etc/config/firewall | 36 +++++++++++++++++++ .../sax-rgs-gw-core01/etc/config/network | 18 +++++----- .../sax-rgs-gw-core01/etc/frr/frr.conf | 2 +- 3 files changed, 46 insertions(+), 10 deletions(-) diff --git a/templates/gateways/sax-rgs-gw-core01/etc/config/firewall b/templates/gateways/sax-rgs-gw-core01/etc/config/firewall index 0056435..b090926 100644 --- a/templates/gateways/sax-rgs-gw-core01/etc/config/firewall +++ b/templates/gateways/sax-rgs-gw-core01/etc/config/firewall @@ -20,6 +20,34 @@ config zone option output ACCEPT option forward REJECT +config zone + option name backbone + list network wg3 + option input REJECT + option output ACCEPT + option forward REJECT + +config rule + option name From-BACKBONE-Allow-OSPF + option src backbone + option proto ospf + option target ACCEPT + +config rule + option name From-BACKBONE-Allow-Prometheus + option src backbone + option proto tcp + option dest_port 9100 + option target ACCEPT + +config rule + option name From-BACKBONE-Into-MGMT-Allow-SNMP + option src backbone + option dest mgmt + option proto udp + option dest_port 161 + option target ACCEPT + config rule option name From-Any-Allow-SSH option src * @@ -50,6 +78,14 @@ config rule option dest_port 9100 option target ACCEPT +config rule + option name From-MGMT-Into-BACKBONE-Allow-Prometheus + option src mgmt + option dest backbone + option proto tcp + option dest_port 9100 + option target ACCEPT + config rule option name Into-MGMT-Allow-Prometheus-WebGUI-On-monitoring01 option src * diff --git a/templates/gateways/sax-rgs-gw-core01/etc/config/network b/templates/gateways/sax-rgs-gw-core01/etc/config/network index a7662c0..3401c34 100644 --- a/templates/gateways/sax-rgs-gw-core01/etc/config/network +++ b/templates/gateways/sax-rgs-gw-core01/etc/config/network @@ -79,19 +79,19 @@ config interface 'backoffice' option ipaddr '10.86.8.1' option netmask '255.255.255.0' -config interface 'wg0' +config interface 'wg3' option proto 'wireguard' - option private_key "{{ lookup('passwordstore', 'wg/wg0/gw-core01') }}" - option listen_port 51820 + option private_key "{{ lookup('passwordstore', 'wg/wg3/sax-rgs-gw-core01') }}" + option listen_port 51823 option mtu 1350 - list addresses '10.84.254.1/31' - option disabled '1' + list addresses '10.86.254.1/31' + option disabled '0' -config wireguard_wg0 'eap_adp_jump01' - option public_key "{{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01.pub') }}" - option preshared_key "{{ lookup('passwordstore', 'wg/wg0/psk') }}" +config wireguard_wg3 'eap_adp_jump01' + option public_key "{{ lookup('passwordstore', 'wg/wg3/eae-adp-jump01.pub') }}" + option preshared_key "{{ lookup('passwordstore', 'wg/wg3/psk') }}" option endpoint_host '162.55.53.85' - option endpoint_port '51820' + option endpoint_port '51823' option route_allowed_ips '0' option persistent_keepalive 15 list allowed_ips '0.0.0.0/0' diff --git a/templates/gateways/sax-rgs-gw-core01/etc/frr/frr.conf b/templates/gateways/sax-rgs-gw-core01/etc/frr/frr.conf index 39077d2..3aae0e0 100644 --- a/templates/gateways/sax-rgs-gw-core01/etc/frr/frr.conf +++ b/templates/gateways/sax-rgs-gw-core01/etc/frr/frr.conf @@ -5,7 +5,7 @@ router ospf ! log syslog ! -interface wg0 +interface wg3 ip ospf area 0 ip ospf network point-to-point !