Compare commits
7 Commits
6bcefd4955
...
3664b97ab1
Author | SHA1 | Date |
---|---|---|
Gregor Michels | 3664b97ab1 | |
Gregor Michels | c311163884 | |
Gregor Michels | c00669664e | |
Gregor Michels | 0084c1a742 | |
Gregor Michels | 5461ae6e93 | |
Gregor Michels | cc7a94127d | |
Gregor Michels | 60dcef23b7 |
|
@ -1,5 +1,6 @@
|
|||
[accesspoints]
|
||||
ap-c5d1 ip=10.84.1.33 channel_2g=1 channel_5g=36 # Office
|
||||
ap-c5d1 ip=10.84.1.33 channel_2g=1 channel_5g=36 txpower_2g=12 txpower_5g=13 # Office
|
||||
ap-ac7c ip=10.84.1.31 channel_2g=11 channel_5g=161 txpower_2g=12 txpower_5g=13 # Socialwork
|
||||
ap-8f42 ip=10.84.1.36 channel_2g=6 channel_5g=40 # Tent 1
|
||||
ap-0b99 ip=10.84.1.32 channel_2g=11 channel_5g=44 # Tent 2
|
||||
ap-c495 ip=10.84.1.34 channel_2g=1 channel_5g=48 # Tent 3
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -6,34 +6,14 @@
|
|||
- wifi_ssid: "GU Deutscher Platz"
|
||||
- wifi_encryption: "none"
|
||||
tasks:
|
||||
- name: create clients bridge (vlan)
|
||||
blockinfile:
|
||||
path: /etc/config/network
|
||||
block: |
|
||||
config interface 'clients'
|
||||
option type 'bridge'
|
||||
option ifname 'eth0.2'
|
||||
notify:
|
||||
- reload network
|
||||
|
||||
- name: create backoffice bridge (vlan)
|
||||
blockinfile:
|
||||
path: /etc/config/network
|
||||
block: |
|
||||
config interface 'backoffice'
|
||||
option type 'bridge'
|
||||
option ifname 'eth0.8'
|
||||
marker_begin: BACKOFFICE_NETWORK_BEGIN
|
||||
marker_end: BACKOFFICE_NETWORK_END
|
||||
notify:
|
||||
- reload network
|
||||
|
||||
- name: configure wireless
|
||||
- name: provision /etc/config
|
||||
template:
|
||||
src: templates/aruba-ap-105_wireless.j2
|
||||
dest: /etc/config/wireless
|
||||
src: "{{ item }}"
|
||||
dest: /etc/config/
|
||||
with_fileglob:
|
||||
- "templates/accesspoints/etc/config/*"
|
||||
notify:
|
||||
- reload wifi
|
||||
- "reload {{ item | basename }}"
|
||||
|
||||
# current os ships with that package and leaks mac addresses into prometheus
|
||||
# therefore we nuke it
|
||||
|
@ -71,9 +51,14 @@
|
|||
name: network
|
||||
state: reloaded
|
||||
|
||||
- name: reload wifi
|
||||
- name: reload wireless
|
||||
command: wifi reconf
|
||||
|
||||
- name: reload system
|
||||
service:
|
||||
name: system
|
||||
state: reloaded
|
||||
|
||||
- name: restart prometheus-node-exporter-lua
|
||||
service:
|
||||
name: prometheus-node-exporter-lua
|
||||
|
|
|
@ -51,55 +51,3 @@
|
|||
service:
|
||||
name: ospfd
|
||||
state: restart
|
||||
|
||||
- name: configure tunnel on gw-core01
|
||||
hosts: gw-core01
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- name: create wg0 interface
|
||||
blockinfile:
|
||||
path: /etc/config/network
|
||||
content: |
|
||||
config interface 'wg0'
|
||||
option proto 'wireguard'
|
||||
option private_key "{{ lookup('passwordstore', 'wg/wg0/gw-core01') }}"
|
||||
option listen_port 51820
|
||||
option mtu 1350
|
||||
list addresses '10.84.254.1/31'
|
||||
|
||||
config wireguard_wg0 'eap_adp_jump01'
|
||||
option public_key "{{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01.pub') }}"
|
||||
option preshared_key "{{ lookup('passwordstore', 'wg/wg0/psk') }}"
|
||||
option endpoint_host '162.55.53.85'
|
||||
option endpoint_port '51820'
|
||||
option route_allowed_ips '0'
|
||||
option persistent_keepalive 15
|
||||
list allowed_ips '0.0.0.0/0'
|
||||
notify:
|
||||
- restart network
|
||||
|
||||
- name: configure frr (daemons)
|
||||
lineinfile:
|
||||
regexp: '^ospfd=.*$'
|
||||
line: 'ospfd=yes'
|
||||
path: /etc/frr/daemons
|
||||
notify:
|
||||
- restart frr
|
||||
|
||||
- name: configure frr (frr.conf)
|
||||
copy:
|
||||
src: files/gw-core01_frr.conf
|
||||
dest: /etc/frr/frr.conf
|
||||
notify:
|
||||
- restart frr
|
||||
|
||||
handlers:
|
||||
- name: restart network
|
||||
service:
|
||||
name: network
|
||||
state: restarted
|
||||
|
||||
- name: restart frr
|
||||
service:
|
||||
name: frr
|
||||
state: restarted
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
---
|
||||
- name: provision gateway
|
||||
hosts: gateways
|
||||
tasks:
|
||||
- name: configure routing tables
|
||||
copy:
|
||||
src: templates/gateways/etc/iproute2/rt_tables
|
||||
dest: /etc/iproute2/rt_tables
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
- reload network
|
||||
|
||||
- name: provision /etc/config
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/config/
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
with_fileglob:
|
||||
- "templates/gateways/etc/config/*"
|
||||
notify:
|
||||
- "reload {{ item | basename }}"
|
||||
|
||||
- name: configure frr
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/frr/
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
with_fileglob:
|
||||
- "templates/gateways/etc/frr/*"
|
||||
notify:
|
||||
- restart frr
|
||||
|
||||
handlers:
|
||||
- name: reload dhcp
|
||||
service:
|
||||
name: dnsmasq
|
||||
state: reloaded
|
||||
|
||||
- name: reload firewall
|
||||
service:
|
||||
name: firewall
|
||||
state: reloaded
|
||||
|
||||
- name: reload network
|
||||
service:
|
||||
name: network
|
||||
state: reloaded
|
||||
|
||||
- name: reload prometheus-node-exporter-lua
|
||||
service:
|
||||
name: prometheus-node-exporter-lua
|
||||
state: reloaded
|
||||
|
||||
- name: reload system
|
||||
service:
|
||||
name: system
|
||||
state: reloaded
|
||||
|
||||
- name: restart frr
|
||||
service:
|
||||
name: frr
|
||||
state: restarted
|
|
@ -0,0 +1,23 @@
|
|||
|
||||
config interface 'loopback'
|
||||
option device 'lo'
|
||||
option proto 'static'
|
||||
option ipaddr '127.0.0.1'
|
||||
option netmask '255.0.0.0'
|
||||
|
||||
config interface 'mgmt'
|
||||
option device 'eth0'
|
||||
option proto 'static'
|
||||
option ipaddr '{{ ip }}'
|
||||
option netmask '255.255.255.0'
|
||||
option gateway '10.84.1.1'
|
||||
list dns '10.84.1.1'
|
||||
|
||||
config interface 'clients'
|
||||
option type 'bridge'
|
||||
option ifname 'eth0.2'
|
||||
|
||||
config interface 'backoffice'
|
||||
option type 'bridge'
|
||||
option ifname 'eth0.8'
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
|
||||
config system
|
||||
option ttylogin '0'
|
||||
option log_size '64'
|
||||
option urandom_seed '0'
|
||||
option timezone 'CET-1CEST,M3.5.0,M10.5.0/3'
|
||||
option hostname '{{ inventory_hostname }}'
|
||||
|
||||
config timeserver 'ntp'
|
||||
option enabled '1'
|
||||
option enable_server '0'
|
||||
list server '0.openwrt.pool.ntp.org'
|
||||
list server '1.openwrt.pool.ntp.org'
|
||||
list server '2.openwrt.pool.ntp.org'
|
||||
list server '3.openwrt.pool.ntp.org'
|
|
@ -0,0 +1,83 @@
|
|||
|
||||
config dnsmasq
|
||||
option domainneeded '1'
|
||||
option boguspriv '1'
|
||||
option filterwin2k '0'
|
||||
option localise_queries '1'
|
||||
option rebind_protection '0'
|
||||
option rebind_localhost '1'
|
||||
option local '/lan/'
|
||||
option domain 'lan'
|
||||
option expandhosts '1'
|
||||
option nonegcache '0'
|
||||
option authoritative '1'
|
||||
option readethers '1'
|
||||
option leasefile '/tmp/dhcp.leases'
|
||||
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
|
||||
option nonwildcard '1'
|
||||
option localservice '1'
|
||||
option ednspacket_max '1232'
|
||||
|
||||
config dhcp 'mgmt'
|
||||
option interface 'mgmt'
|
||||
option start '100'
|
||||
option limit '150'
|
||||
option leasetime '12h'
|
||||
option dhcpv4 'server'
|
||||
option dhcpv6 'server'
|
||||
option ra 'server'
|
||||
option ra_slaac '1'
|
||||
list ra_flags 'managed-config'
|
||||
list ra_flags 'other-config'
|
||||
|
||||
config dhcp 'clients'
|
||||
option interface 'clients'
|
||||
# from: 10.84.4.2
|
||||
# to: 10.84.7.254
|
||||
# start: 2
|
||||
# limit: 1020
|
||||
option start '2'
|
||||
option limit '1020'
|
||||
option leasetime '12h'
|
||||
option dhcpv4 'server'
|
||||
option dhcpv6 'server'
|
||||
option ra 'server'
|
||||
option ra_slaac '1'
|
||||
list ra_flags 'managed-config'
|
||||
list ra_flags 'other-config'
|
||||
|
||||
config dhcp 'backoffice'
|
||||
option interface 'backoffice'
|
||||
option start '100'
|
||||
option limit '150'
|
||||
option leasetime '12h'
|
||||
option dhcpv4 'server'
|
||||
option dhcpv6 'server'
|
||||
option ra 'server'
|
||||
option ra_slaac '1'
|
||||
list ra_flags 'managed-config'
|
||||
list ra_flags 'other-config'
|
||||
|
||||
config dhcp 'wan'
|
||||
option interface 'wan'
|
||||
option ignore '1'
|
||||
|
||||
config odhcpd 'odhcpd'
|
||||
option maindhcp '0'
|
||||
option leasefile '/tmp/hosts/odhcpd'
|
||||
option leasetrigger '/usr/sbin/odhcpd-update'
|
||||
option loglevel '4'
|
||||
|
||||
config domain 'hyper01'
|
||||
option name 'hyper01'
|
||||
option ip '10.84.1.21'
|
||||
|
||||
config domain 'monitoring01'
|
||||
option name 'monitoring01'
|
||||
option ip '10.84.1.51'
|
||||
|
||||
config host 'mon-e2e-clients01'
|
||||
option name 'mon-e2e-clients01'
|
||||
option ip '10.84.7.30'
|
||||
option mac 'ca:ac:5a:d0:b6:02'
|
||||
option dns '1'
|
|
@ -0,0 +1,393 @@
|
|||
config defaults
|
||||
option syn_flood 1
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
# Uncomment this line to disable ipv6 rules
|
||||
# option disable_ipv6 1
|
||||
|
||||
config zone
|
||||
option name mgmt
|
||||
list network 'mgmt'
|
||||
option input ACCEPT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name clients
|
||||
list network 'clients'
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name backoffice
|
||||
list network 'backoffice'
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name backbone
|
||||
list network wg0
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name launder
|
||||
list network wg1
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
option masq 1
|
||||
option mtu_fix 1
|
||||
|
||||
config rule
|
||||
option name From-CLIENTS-Allow-IPERF3-UDP
|
||||
option src clients
|
||||
option proto udp
|
||||
option dest_port 5201
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name From-CLIENTS-Allow-IPERF3-TCP
|
||||
option src clients
|
||||
option proto tcp
|
||||
option dest_port 5201
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name From-BACKBONE-Allow-OSPF
|
||||
option src backbone
|
||||
option proto ospf
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name From-Any-Allow-SSH
|
||||
option src *
|
||||
option proto tcp
|
||||
option dest_port 22
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-SSH
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_port 22
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-ICMP
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto icmp
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-Prometheus
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_port 9100
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name From-MGMT-Into-BACKBONE-Allow-Prometheus
|
||||
option src mgmt
|
||||
option dest backbone
|
||||
option proto tcp
|
||||
option dest_port 9100
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-Prometheus-WebGUI-On-monitoring01
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_ip 10.84.1.51
|
||||
option dest_port 9090
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-Grafana-WebGUI-On-monitoring01
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_ip 10.84.1.51
|
||||
option dest_port 3000
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-CLIENTS-Allow-PromBlackbox-On-mon-e2e-clients01
|
||||
option src *
|
||||
option dest clients
|
||||
option dest_ip 10.84.7.30
|
||||
option proto tcp
|
||||
option dest_port 9115
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-CLIENTS-Allow-Prometheus-On-mon-e2e-clients01
|
||||
option src *
|
||||
option dest clients
|
||||
option dest_ip 10.84.7.30
|
||||
option proto tcp
|
||||
option dest_port 9100
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-CLIENTS-Allow-SSH-On-mon-e2e-clients01
|
||||
option src *
|
||||
option dest clients
|
||||
option dest_ip 10.84.7.30
|
||||
option proto tcp
|
||||
option dest_port 22
|
||||
option target ACCEPT
|
||||
|
||||
config zone
|
||||
option name wan
|
||||
list network 'wan'
|
||||
list network 'wan6'
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
option masq 1
|
||||
option mtu_fix 1
|
||||
|
||||
config forwarding
|
||||
option src mgmt
|
||||
option dest wan
|
||||
|
||||
config forwarding
|
||||
option src clients
|
||||
option dest wan
|
||||
|
||||
config forwarding
|
||||
option src clients
|
||||
option dest launder
|
||||
|
||||
config forwarding
|
||||
option src backoffice
|
||||
option dest wan
|
||||
|
||||
# We need to accept udp packets on port 68,
|
||||
# see https://dev.openwrt.org/ticket/4108
|
||||
config rule
|
||||
option name Allow-DHCP-Renew
|
||||
option src wan
|
||||
option proto udp
|
||||
option dest_port 68
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
# Allow IPv4 ping
|
||||
config rule
|
||||
option name Allow-Ping
|
||||
option src *
|
||||
option proto icmp
|
||||
option icmp_type echo-request
|
||||
option family ipv4
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-IGMP
|
||||
option src wan
|
||||
option proto igmp
|
||||
option family ipv4
|
||||
option target ACCEPT
|
||||
|
||||
# Allow DHCPv6 replies
|
||||
# see https://dev.openwrt.org/ticket/10381
|
||||
config rule
|
||||
option name Allow-DHCPv6
|
||||
option src wan
|
||||
option proto udp
|
||||
option src_ip fc00::/6
|
||||
option dest_ip fc00::/6
|
||||
option dest_port 546
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-MLD
|
||||
option src wan
|
||||
option proto icmp
|
||||
option src_ip fe80::/10
|
||||
list icmp_type '130/0'
|
||||
list icmp_type '131/0'
|
||||
list icmp_type '132/0'
|
||||
list icmp_type '143/0'
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
# Allow essential incoming IPv6 ICMP traffic
|
||||
config rule
|
||||
option name Allow-ICMPv6-Input
|
||||
option src wan
|
||||
option proto icmp
|
||||
list icmp_type echo-request
|
||||
list icmp_type echo-reply
|
||||
list icmp_type destination-unreachable
|
||||
list icmp_type packet-too-big
|
||||
list icmp_type time-exceeded
|
||||
list icmp_type bad-header
|
||||
list icmp_type unknown-header-type
|
||||
list icmp_type router-solicitation
|
||||
list icmp_type neighbour-solicitation
|
||||
list icmp_type router-advertisement
|
||||
list icmp_type neighbour-advertisement
|
||||
option limit 1000/sec
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
# Allow essential forwarded IPv6 ICMP traffic
|
||||
config rule
|
||||
option name Allow-ICMPv6-Forward
|
||||
option src wan
|
||||
option dest *
|
||||
option proto icmp
|
||||
list icmp_type echo-request
|
||||
list icmp_type echo-reply
|
||||
list icmp_type destination-unreachable
|
||||
list icmp_type packet-too-big
|
||||
list icmp_type time-exceeded
|
||||
list icmp_type bad-header
|
||||
list icmp_type unknown-header-type
|
||||
option limit 1000/sec
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-IPSec-ESP
|
||||
option src wan
|
||||
option dest clients
|
||||
option proto esp
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-ISAKMP
|
||||
option src wan
|
||||
option dest clients
|
||||
option dest_port 500
|
||||
option proto udp
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name WAN_Allow-SSH
|
||||
option src wan
|
||||
option dest_port 22
|
||||
option proto tcp
|
||||
option target ACCEPT
|
||||
|
||||
# allow interoperability with traceroute classic
|
||||
# note that traceroute uses a fixed port range, and depends on getting
|
||||
# back ICMP Unreachables. if we're operating in DROP mode, it won't
|
||||
# work so we explicitly REJECT packets on these ports.
|
||||
config rule
|
||||
option name Support-UDP-Traceroute
|
||||
option src wan
|
||||
option dest_port 33434:33689
|
||||
option proto udp
|
||||
option family ipv4
|
||||
option target REJECT
|
||||
option enabled false
|
||||
|
||||
config rule
|
||||
option name CLIENTS_Allow-DHCP
|
||||
option src clients
|
||||
option proto udp
|
||||
option dest_port 67-68
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
config rule
|
||||
option name CLIENTS_Allow-DNS
|
||||
option src clients
|
||||
option proto udp
|
||||
option dest_port 53
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
config rule
|
||||
option name BACKOFFICE_Allow-DHCP
|
||||
option src backoffice
|
||||
option proto udp
|
||||
option dest_port 67-68
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
config rule
|
||||
option name BACKOFFICE_Allow-DNS
|
||||
option src backoffice
|
||||
option proto udp
|
||||
option dest_port 53
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
|
||||
# include a file with users custom iptables rules
|
||||
config include
|
||||
option path /etc/firewall.user
|
||||
|
||||
|
||||
### EXAMPLE CONFIG SECTIONS
|
||||
# do not allow a specific ip to access wan
|
||||
#config rule
|
||||
# option src mgmt
|
||||
# option src_ip 192.168.45.2
|
||||
# option dest wan
|
||||
# option proto tcp
|
||||
# option target REJECT
|
||||
|
||||
# block a specific mac on wan
|
||||
#config rule
|
||||
# option dest wan
|
||||
# option src_mac 00:11:22:33:44:66
|
||||
# option target REJECT
|
||||
|
||||
# block incoming ICMP traffic on a zone
|
||||
#config rule
|
||||
# option src mgmt
|
||||
# option proto ICMP
|
||||
# option target DROP
|
||||
|
||||
# port redirect port coming in on wan to lan
|
||||
#config redirect
|
||||
# option src wan
|
||||
# option src_dport 80
|
||||
# option dest lan
|
||||
# option dest_ip 192.168.16.235
|
||||
# option dest_port 80
|
||||
# option proto tcp
|
||||
|
||||
# port redirect of remapped ssh port (22001) on wan
|
||||
#config redirect
|
||||
# option src wan
|
||||
# option src_dport 22001
|
||||
# option dest lan
|
||||
# option dest_port 22
|
||||
# option proto tcp
|
||||
|
||||
### FULL CONFIG SECTIONS
|
||||
#config rule
|
||||
# option src lan
|
||||
# option src_ip 192.168.45.2
|
||||
# option src_mac 00:11:22:33:44:55
|
||||
# option src_port 80
|
||||
# option dest wan
|
||||
# option dest_ip 194.25.2.129
|
||||
# option dest_port 120
|
||||
# option proto tcp
|
||||
# option target REJECT
|
||||
|
||||
#config redirect
|
||||
# option src lan
|
||||
# option src_ip 192.168.45.2
|
||||
# option src_mac 00:11:22:33:44:55
|
||||
# option src_port 1024
|
||||
# option src_dport 80
|
||||
# option dest_ip 194.25.2.129
|
||||
# option dest_port 120
|
||||
# option proto tcp
|
|
@ -0,0 +1,120 @@
|
|||
|
||||
config interface 'loopback'
|
||||
option device 'lo'
|
||||
option proto 'static'
|
||||
option ipaddr '127.0.0.1'
|
||||
option netmask '255.0.0.0'
|
||||
|
||||
config globals 'globals'
|
||||
option packet_steering '1'
|
||||
option ula_prefix 'fd80:b6e3:d4e0::/48'
|
||||
|
||||
config device 'switch'
|
||||
option name 'switch'
|
||||
option type 'bridge'
|
||||
list ports 'eth0'
|
||||
list ports 'eth1'
|
||||
list ports 'eth2'
|
||||
list ports 'eth3'
|
||||
list ports 'eth4'
|
||||
|
||||
config bridge-vlan 'mgmt_vlan'
|
||||
option vlan '1'
|
||||
option device 'switch'
|
||||
list ports 'eth2:u*'
|
||||
list ports 'eth3:u*'
|
||||
list ports 'eth4:u*'
|
||||
|
||||
config bridge-vlan 'clients_vlan'
|
||||
option vlan '2'
|
||||
option device 'switch'
|
||||
list ports 'eth2:t'
|
||||
list ports 'eth3:t'
|
||||
list ports 'eth4:t'
|
||||
|
||||
config bridge-vlan 'wan_vlan'
|
||||
option vlan '3'
|
||||
option device 'switch'
|
||||
list ports 'eth0:u*'
|
||||
list ports 'eth4:t'
|
||||
|
||||
config bridge-vlan 'backoffice_vlan'
|
||||
option vlan '8'
|
||||
option device 'switch'
|
||||
list ports 'eth1:u*'
|
||||
list ports 'eth2:t'
|
||||
list ports 'eth3:t'
|
||||
list ports 'eth4:t'
|
||||
|
||||
config interface 'mgmt'
|
||||
option device 'switch.1'
|
||||
option proto 'static'
|
||||
option ipaddr '10.84.1.1'
|
||||
option netmask '255.255.255.0'
|
||||
|
||||
config interface 'clients'
|
||||
option device 'switch.2'
|
||||
option proto 'static'
|
||||
option ipaddr '10.84.4.1'
|
||||
option netmask '255.255.252.0'
|
||||
|
||||
config interface 'wan'
|
||||
option device 'switch.3'
|
||||
option proto 'dhcp'
|
||||
|
||||
config interface 'wan6'
|
||||
option device 'switch.3'
|
||||
option proto 'dhcpv6'
|
||||
|
||||
config interface 'backoffice'
|
||||
option device 'switch.8'
|
||||
option proto 'static'
|
||||
option ipaddr '10.84.8.1'
|
||||
option netmask '255.255.255.0'
|
||||
|
||||
config interface 'wg0'
|
||||
option proto 'wireguard'
|
||||
option private_key "{{ lookup('passwordstore', 'wg/wg0/gw-core01') }}"
|
||||
option listen_port 51820
|
||||
option mtu 1350
|
||||
list addresses '10.84.254.1/31'
|
||||
|
||||
config wireguard_wg0 'eap_adp_jump01'
|
||||
option public_key "{{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01.pub') }}"
|
||||
option preshared_key "{{ lookup('passwordstore', 'wg/wg0/psk') }}"
|
||||
option endpoint_host '162.55.53.85'
|
||||
option endpoint_port '51820'
|
||||
option route_allowed_ips '0'
|
||||
option persistent_keepalive 15
|
||||
list allowed_ips '0.0.0.0/0'
|
||||
|
||||
config interface 'wg1'
|
||||
option mtu 1350
|
||||
option proto 'wireguard'
|
||||
option private_key "{{ lookup('passwordstore', 'wg/wg1/gw-core01') }}"
|
||||
list addresses '10.64.52.118/32'
|
||||
option ip4table 'launder'
|
||||
|
||||
config wireguard_wg1 'mullvad_fr'
|
||||
option public_key "{{ lookup('passwordstore', 'wg/wg1/mullvad_fr.pub') }}"
|
||||
option endpoint_host "{{ lookup('passwordstore', 'wg/wg1/mullvad_fr.endpoint') | split(':') | first }}"
|
||||
option endpoint_port "{{ lookup('passwordstore', 'wg/wg1/mullvad_fr.endpoint') | split(':') | last }}"
|
||||
option route_allowed_ips '1'
|
||||
option persistent_keepalive 15
|
||||
list allowed_ips '0.0.0.0/0'
|
||||
|
||||
config rule
|
||||
option in 'clients'
|
||||
option dest '10.84.1.0/24'
|
||||
option lookup 'main'
|
||||
option priority 49
|
||||
|
||||
config rule
|
||||
option in 'clients'
|
||||
option lookup 'launder'
|
||||
option priority 50
|
||||
|
||||
config rule
|
||||
option in 'clients'
|
||||
option action prohibit
|
||||
option priority 51
|
|
@ -0,0 +1,4 @@
|
|||
config prometheus-node-exporter-lua 'main'
|
||||
option listen_interface 'mgmt'
|
||||
option listen_ipv6 '0'
|
||||
option listen_port '9100'
|
|
@ -0,0 +1,22 @@
|
|||
|
||||
config system
|
||||
option hostname 'gw-core01'
|
||||
option timezone 'CET-1CEST,M3.5.0,M10.5.0/3' # Europe/Berlin
|
||||
option ttylogin '0'
|
||||
option log_size '64'
|
||||
option urandom_seed '0'
|
||||
option compat_version '1.1'
|
||||
|
||||
config timeserver 'ntp'
|
||||
option enabled '1'
|
||||
option enable_server '0'
|
||||
list server '0.openwrt.pool.ntp.org'
|
||||
list server '1.openwrt.pool.ntp.org'
|
||||
list server '2.openwrt.pool.ntp.org'
|
||||
list server '3.openwrt.pool.ntp.org'
|
||||
|
||||
config gpio_switch 'poe_passthrough'
|
||||
option name 'PoE Passthrough'
|
||||
option gpio_pin '480'
|
||||
option value '0'
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
# The staticd,watchfrr and zebra daemons are always started.
|
||||
#
|
||||
bgpd=no
|
||||
ospfd=yes
|
||||
#ospfd_instances=1,20
|
||||
ospf6d=no
|
||||
ripd=no
|
||||
ripngd=no
|
||||
isisd=no
|
||||
pimd=no
|
||||
ldpd=no
|
||||
nhrpd=no
|
||||
eigrpd=no
|
||||
babeld=no
|
||||
sharpd=no
|
||||
pbrd=no
|
||||
bfdd=no
|
||||
fabricd=no
|
||||
vrrpd=no
|
||||
|
||||
#
|
||||
# If this option is set the /etc/init.d/frr script automatically loads
|
||||
# the config via "vtysh -b" when the servers are started.
|
||||
# Check /etc/pam.d/frr if you intend to use "vtysh"!
|
||||
#
|
||||
vtysh_enable=yes
|
||||
zebra_options=" -A 127.0.0.1 -s 90000000"
|
||||
bgpd_options=" -A 127.0.0.1"
|
||||
ospfd_options=" -A 127.0.0.1"
|
||||
ospf6d_options=" -A ::1"
|
||||
ripd_options=" -A 127.0.0.1"
|
||||
ripngd_options=" -A ::1"
|
||||
isisd_options=" -A 127.0.0.1"
|
||||
pimd_options=" -A 127.0.0.1"
|
||||
ldpd_options=" -A 127.0.0.1"
|
||||
nhrpd_options=" -A 127.0.0.1"
|
||||
eigrpd_options=" -A 127.0.0.1"
|
||||
babeld_options=" -A 127.0.0.1"
|
||||
sharpd_options=" -A 127.0.0.1"
|
||||
pbrd_options=" -A 127.0.0.1"
|
||||
staticd_options="-A 127.0.0.1"
|
||||
bfdd_options=" -A 127.0.0.1"
|
||||
fabricd_options="-A 127.0.0.1"
|
||||
vrrpd_options=" -A 127.0.0.1"
|
||||
|
||||
# The list of daemons to watch is automatically generated by the init script.
|
||||
#watchfrr_options=""
|
||||
|
||||
# for debugging purposes, you can specify a "wrap" command to start instead
|
||||
# of starting the daemon directly, e.g. to use valgrind on ospfd:
|
||||
# ospfd_wrap="/usr/bin/valgrind"
|
||||
# or you can use "all_wrap" for all daemons, e.g. to use perf record:
|
||||
# all_wrap="/usr/bin/perf record --call-graph -"
|
||||
# the normal daemon command is added to this at the end.
|
|
@ -0,0 +1,16 @@
|
|||
password zebra
|
||||
!
|
||||
router ospf
|
||||
redistribute connected
|
||||
!
|
||||
log syslog
|
||||
!
|
||||
interface wg0
|
||||
ip ospf area 0
|
||||
ip ospf network point-to-point
|
||||
!
|
||||
access-list vty permit 127.0.0.0/8
|
||||
access-list vty deny any
|
||||
!
|
||||
line vty
|
||||
access-class vty
|
|
@ -0,0 +1,13 @@
|
|||
#
|
||||
# reserved values
|
||||
#
|
||||
128 prelocal
|
||||
255 local
|
||||
254 main
|
||||
253 default
|
||||
0 unspec
|
||||
20 launder
|
||||
#
|
||||
# local
|
||||
#
|
||||
#1 inr.ruhep
|
Reference in New Issue