sax-rgs-gw-core01: add config tree

2023-01-10 01:17:38 +01:00 · 2023-01-10 01:17:38 +01:00 · fe8d3b5dec
parent 3ec08cb017
commit fe8d3b5dec
4 changed files with 448 additions and 0 deletions
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp
@ -0,0 +1,53 @@
+
+config dnsmasq
+	option domainneeded '1'
+	option boguspriv '1'
+	option filterwin2k '0'
+	option localise_queries '1'
+	option rebind_protection '0'
+	option rebind_localhost '1'
+	option local '/lan/'
+	option domain 'lan'
+	option expandhosts '1'
+	option nonegcache '0'
+	option authoritative '1'
+	option readethers '1'
+	option leasefile '/etc/dhcp.leases'
+	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
+	option nonwildcard '1'
+	option localservice '1'
+	option ednspacket_max '1232'
+
+config dhcp 'mgmt'
+	option interface 'mgmt'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+	option dhcpv4 'server'
+	option dhcpv6 'server'
+	option ra 'server'
+	option ra_slaac '1'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'backoffice'
+	option interface 'backoffice'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+	option dhcpv4 'server'
+	option dhcpv6 'server'
+	option ra 'server'
+	option ra_slaac '1'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'wan'
+	option interface 'wan'
+	option ignore '1'
+
+config odhcpd 'odhcpd'
+	option maindhcp '0'
+	option leasefile '/tmp/hosts/odhcpd'
+	option leasetrigger '/usr/sbin/odhcpd-update'
+	option loglevel '4'
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/firewall
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/firewall
@ -0,0 +1,282 @@
+config defaults
+	option syn_flood	1
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
+
+config zone
+	option name		mgmt
+	list   network		'mgmt'
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+
+config zone
+	option name		backoffice
+	list   network		'backoffice'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+
+config rule
+	option name		From-Any-Allow-SSH
+	option src		*
+	option proto		tcp
+	option dest_port	22
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-SSH
+	option src		*
+	option dest		mgmt
+	option proto		tcp
+	option dest_port	22
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-ICMP
+	option src		*
+	option dest		mgmt
+	option proto		icmp
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-Prometheus
+	option src		*
+	option dest		mgmt
+	option proto		tcp
+	option dest_port	9100
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-Prometheus-WebGUI-On-monitoring01
+	option src		*
+	option dest		mgmt
+	option proto		tcp
+	option dest_ip		10.84.1.51
+	option dest_port	9090
+	option target		ACCEPT
+
+config zone
+	option name		wan
+	list   network		'wan'
+	list   network		'wan6'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq		1
+	option mtu_fix		1
+
+config forwarding
+	option src		mgmt
+	option dest		wan
+
+config forwarding
+	option src		backoffice
+	option dest		wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option name		Allow-DHCP-Renew
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family		ipv4
+
+# Allow IPv4 ping
+config rule
+	option name		Allow-Ping
+	option src		*
+	option proto		icmp
+	option icmp_type	echo-request
+	option family		ipv4
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IGMP
+	option src		wan
+	option proto		igmp
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+	option name		Allow-DHCPv6
+	option src		wan
+	option proto		udp
+	option src_ip		fc00::/6
+	option dest_ip		fc00::/6
+	option dest_port	546
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-MLD
+	option src		wan
+	option proto		icmp
+	option src_ip		fe80::/10
+	list icmp_type		'130/0'
+	list icmp_type		'131/0'
+	list icmp_type		'132/0'
+	list icmp_type		'143/0'
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Input
+	option src		wan
+	option proto	icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	list icmp_type		router-solicitation
+	list icmp_type		neighbour-solicitation
+	list icmp_type		router-advertisement
+	list icmp_type		neighbour-advertisement
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Forward
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IPSec-ESP
+	option src		wan
+	option dest		backoffice
+	option proto		esp
+	option target		ACCEPT
+
+config rule
+	option name		Allow-ISAKMP
+	option src		wan
+	option dest		backoffice
+	option dest_port	500
+	option proto		udp
+	option target		ACCEPT
+
+config rule
+	option name		WAN_Allow-SSH
+	option src		wan
+	option dest_port	22
+	option proto		tcp
+	option target		ACCEPT
+
+# allow interoperability with traceroute classic
+# note that traceroute uses a fixed port range, and depends on getting
+# back ICMP Unreachables.  if we're operating in DROP mode, it won't
+# work so we explicitly REJECT packets on these ports.
+config rule
+	option name		Support-UDP-Traceroute
+	option src		wan
+	option dest_port	33434:33689
+	option proto		udp
+	option family		ipv4
+	option target		REJECT
+	option enabled		false
+
+config rule
+	option name		BACKOFFICE_Allow-DHCP
+	option src		backoffice
+	option proto		udp
+	option dest_port	67-68
+	option target		ACCEPT
+	option family		ipv4
+
+config rule
+	option name		BACKOFFICE_Allow-DNS
+	option src		backoffice
+	option proto		udp
+	option dest_port	53
+	option target		ACCEPT
+	option family		ipv4
+
+
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#	option src		mgmt
+#	option src_ip	192.168.45.2
+#	option dest		wan
+#	option proto	tcp
+#	option target	REJECT
+
+# block a specific mac on wan
+#config rule
+#	option dest		wan
+#	option src_mac	00:11:22:33:44:66
+#	option target	REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+#	option src		mgmt
+#	option proto	ICMP
+#	option target	DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+#	option src			wan
+#	option src_dport	80
+#	option dest			lan
+#	option dest_ip		192.168.16.235
+#	option dest_port	80
+#	option proto		tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
+
+### FULL CONFIG SECTIONS
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port	80
+#	option dest		wan
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
+#	option target	REJECT
+
+#config redirect
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port		1024
+#	option src_dport	80
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/network
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/network
@ -0,0 +1,97 @@
+
+config interface 'loopback'
+        option device 'lo'
+        option proto 'static'
+        option ipaddr '127.0.0.1'
+        option netmask '255.0.0.0'
+
+config globals 'globals'
+        option packet_steering '1'
+
+config device 'switch'
+        option name 'switch'
+        option type 'bridge'
+        option vlan_filtering 1
+        list ports 'eth0'
+        list ports 'eth1'
+        list ports 'eth2'
+        list ports 'eth3'
+        list ports 'eth4'
+        list ports 'eth5'
+        list ports 'eth6'
+        list ports 'eth7'
+
+config bridge-vlan 'mgmt_vlan'
+        option vlan '1'
+        option device 'switch'
+        list ports 'eth1:u*'
+        list ports 'eth2:u*'
+        list ports 'eth3:u*'
+        list ports 'eth4:u*'
+        list ports 'eth5:u*'
+        list ports 'eth6:u*'
+        list ports 'eth7:u*'
+
+config bridge-vlan 'clients_vlan'
+        option vlan '2'
+        option device 'switch'
+        list ports 'eth1:t'
+        list ports 'eth2:t'
+        list ports 'eth3:t'
+        list ports 'eth4:t'
+        list ports 'eth5:t'
+        list ports 'eth6:t'
+        list ports 'eth7:t'
+
+config bridge-vlan 'wan_vlan'
+        option vlan '3'
+        option device 'switch'
+        list ports 'eth0:u*'
+
+config bridge-vlan 'backoffice_vlan'
+        option vlan '8'
+        option device 'switch'
+        list ports 'eth1:t'
+        list ports 'eth2:t'
+        list ports 'eth3:t'
+        list ports 'eth4:t'
+        list ports 'eth5:t'
+        list ports 'eth6:t'
+        list ports 'eth7:t'
+
+config interface 'mgmt'
+        option device 'switch.1'
+        option proto 'static'
+        option ipaddr '10.86.1.1'
+        option netmask '255.255.255.0'
+
+config interface 'wan'
+        option device 'switch.3'
+        option proto 'dhcp'
+
+config interface 'wan6'
+        option device 'switch.3'
+        option proto 'dhcpv6'
+
+config interface 'backoffice'
+        option device 'switch.8'
+        option proto 'static'
+        option ipaddr '10.86.8.1'
+        option netmask '255.255.255.0'
+
+config interface 'wg0'
+        option proto 'wireguard'
+        option private_key "{{ lookup('passwordstore', 'wg/wg0/gw-core01') }}"
+        option listen_port 51820
+        option mtu 1350
+        list addresses '10.84.254.1/31'
+	option disabled '1'
+
+config wireguard_wg0 'eap_adp_jump01'
+        option public_key "{{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01.pub') }}"
+        option preshared_key "{{ lookup('passwordstore', 'wg/wg0/psk') }}"
+        option endpoint_host '162.55.53.85'
+        option endpoint_port '51820'
+        option route_allowed_ips '0'
+        option persistent_keepalive 15
+        list allowed_ips '0.0.0.0/0'
--- a/templates/gateways/sax-rgs-gw-core01/etc/frr/frr.conf
+++ b/templates/gateways/sax-rgs-gw-core01/etc/frr/frr.conf
@ -0,0 +1,16 @@
+password zebra
+!
+router ospf
+  redistribute connected
+!
+log syslog
+!
+interface wg0
+  ip ospf area 0
+  ip ospf network point-to-point
+!
+access-list vty permit 127.0.0.0/8
+access-list vty deny any
+!
+line vty
+ access-class vty