gw-core01: fix dns issues

gigacube could not handle amount of dns queries.

* move dns to quad9 and cloudflare
* increase size of dns cache
* increase amount of concurrent dns queries

ansible-inventory

@@ -21,23 +21,70 @@ ap-b634 ip=10.85.1.37 location=tent-3          channel_2g=1  channel_5g=116 txpo
 ap-b6cc ip=10.85.1.39 location=tent-3          channel_2g=6  channel_5g=40  txpower_2g=15 txpower_5g=20
 ap-b682 ip=10.85.1.40 location=tent-3          channel_2g=11 channel_5g=64  txpower_2g=15 txpower_5g=20
 
+ap-116e ip=10.86.1.31 location=p203            disable_2g=1   channel_5g=48  txpower_2g=17 txpower_5g=20
+ap-11c4 ip=10.86.1.32 location=office-security channel_2g=1   channel_5g=36  txpower_2g=17 txpower_5g=20
+ap-1202 ip=10.86.1.33 location=p201            disable_2g=1   channel_5g=153 txpower_2g=17 txpower_5g=20
+ap-12a8 ip=10.86.1.34 location=p104            channel_2g=11  channel_5g=60  txpower_2g=17 txpower_5g=20
+ap-13ac ip=10.86.1.35 location=p106            disable_2g=1   channel_5g=116 txpower_2g=17 txpower_5g=20
+ap-144c ip=10.86.1.36 location=p108            channel_2g=1   channel_5g=140 txpower_2g=17 txpower_5g=20
+ap-12c2 ip=10.86.1.37 location=p207            disable_2g=1   channel_5g=128 txpower_2g=17 txpower_5g=20
+ap-16bc ip=10.86.1.38 location=p205            channel_2g=6   channel_5g=104 txpower_2g=17 txpower_5g=20
+ap-1374 ip=10.86.1.39 location=kitchen-og      disable_2g=1   channel_5g=153 txpower_2g=17 txpower_5g=20
+
 [accesspoints:vars]
 ansible_remote_tmp=/tmp
 garet_profile=aruba-ap-105_22.03
 garet_release=9974455
 
+[aptype_aruba_ap_303]
+ap-11c4
+ap-116e
+ap-1202
+ap-12a8
+ap-13ac
+ap-144c
+ap-12c2
+ap-16bc
+ap-1374
+
+[aptype_aruba_ap_105]
+ap-c5d1
+ap-ac7c
+ap-8f42
+ap-0b99
+ap-c495
+ap-2bbf
+ap-1a38
+ap-8f39
+ap-1293
+ap-b62f
+ap-b656
+ap-b6ee
+ap-b5df
+ap-b6cb
+ap-b641
+ap-b6d7
+ap-b644
+ap-b634
+ap-b6cc
+ap-b682
+
 [switches]
-sw-access01 ip=10.84.1.11 base_mac=bc:cf:4f:e3:bb:8d
-sw-access02 ip=10.84.1.12 base_mac=bc:cf:4f:e3:ac:39
+sw-access01 ip=10.84.1.11 base_mac=bc:cf:4f:e3:bb:8d location=office-social2
+sw-access02 ip=10.84.1.12 base_mac=bc:cf:4f:e3:ac:39 location=tent-5
+sw-access04 ip=10.84.1.14 base_mac=5c:e2:8c:6a:7f:cc location=tent-2
 
 [switches_stock]
-ffl-ans-sw-distribution01 ip=10.85.1.11 base_mac=5c:e2:8c:60:82:fb
-ffl-ans-sw-access01       ip=10.85.1.12 base_mac=04:bf:6d:15:c6:b3
-ffl-ans-sw-access02       ip=10.85.1.13 base_mac=04:bf:6d:15:c6:92
+ffl-ans-sw-distribution01 ip=10.85.1.11 base_mac=5c:e2:8c:60:82:fb sw_type=gs1900-10hp   location=office-facility
+ffl-ans-sw-access01       ip=10.85.1.12 base_mac=04:bf:6d:15:c6:b3 sw_type=gs1900-10hp   location=tent-1
+ffl-ans-sw-access02       ip=10.85.1.13 base_mac=04:bf:6d:15:c6:92 sw_type=gs1900-10hp   location=tent-2
+sax-rgs-sw-access01       ip=10.86.1.11                            sw_type=s2800s-8t2f-p location=p104
+sax-rgs-sw-access02       ip=10.86.1.12                            sw_type=s2800s-8t2f-p location=p204
 
 [gateways]
 gw-core01         ip=10.84.1.1
 ffl-ans-gw-core01 ip=10.85.1.1
+sax-rgs-gw-core01 ip=10.86.1.1 garet_profile=sophos-sg-xxx_22.03 garet_release=601bc29
 
 [gateways:vars]
 ansible_remote_tmp=/tmp
@@ -73,6 +120,7 @@ ap-8f39
 ap-1293
 sw-access01
 sw-access02
+sw-access04
 gw-core01
 hyper01
 monitoring01
@@ -113,3 +161,27 @@ backoffice_wifi_encryption=psk2
 backoffice_wifi_psk="{{ lookup('passwordstore', 'wifi/GU_Arno-Nitzsche-Straße_Backoffice') }}"
 mgmt_gateway=10.85.1.1
 site=ans
+
+[site_rgs]
+sax-rgs-sw-access01
+sax-rgs-sw-access02
+sax-rgs-gw-core01
+ap-11c4
+ap-116e
+ap-1202
+ap-12a8
+ap-13ac
+ap-144c
+ap-12c2
+ap-16bc
+ap-1374
+
+[site_rgs:vars]
+wifi_ssid="{{ lookup('passwordstore', 'wifi/site_rgs_ssid') }}"
+wifi_encryption=none
+wifi_disabled=0
+backoffice_wifi_ssid="{{ lookup('passwordstore', 'wifi/site_rgs_backoffice_ssid') }}"
+backoffice_wifi_encryption=psk2
+backoffice_wifi_psk="{{ lookup('passwordstore', 'wifi/site_rgs_backoffice') }}"
+mgmt_gateway=10.86.1.1
+site=rgs

files/ospfd.conf

@@ -31,4 +31,7 @@ area 0.0.0.0 {
 	interface wg2 {
 		type p2p
 	}
+	interface wg3 {
+		type p2p
+	}
 }

files/pf.wg3.conf

@@ -0,0 +1,11 @@
+# allow incoming udp packets for wg3
+pass in proto udp from any to self port 51823
+
+# allow ospf on wg3
+pass on wg3 proto ospf
+
+# allow prometheus on wg3
+pass on wg3 proto tcp from any to self port 9100
+
+# allow outgoing snmp on wg3
+pass out on wg3 proto udp from self to any port snmp

files/wifi.lua

@@ -7,6 +7,9 @@ local function scrape()
   local metric_wifi_network_noise = metric("wifi_network_noise_dbm","gauge")
   local metric_wifi_network_signal = metric("wifi_network_signal_dbm","gauge")
   local metric_wifi_clients = metric("wifi_network_clients", "gauge")
+  local metric_wifi_airtime_total       = metric("wifi_network_airtime_total", "gauge")
+  local metric_wifi_airtime_busy        = metric("wifi_network_airtime_busy", "gauge")
+  local metric_wifi_airtime_utilization = metric("wifi_network_airtime_utilization", "gauge")
 
   local u = ubus.connect()
   local status = u:call("network.wireless", "status", {})
@@ -19,7 +22,7 @@ local function scrape()
         local labels = {
           channel = iw.channel(ifname),
           ssid = iw.ssid(ifname),
-          bssid = iw.bssid(ifname),
+          bssid = string.lower(iw.bssid(ifname)),
           mode = iw.mode(ifname),
           ifname = ifname,
           country = iw.country(ifname),
@@ -37,11 +40,16 @@ local function scrape()
         local wifi_clients = 0
         for _ in pairs(iw.assoclist(ifname)) do wifi_clients = wifi_clients +1 end
 
+        local hostapd_status = u:call("hostapd." .. ifname, "get_status", {})
+
         metric_wifi_network_quality(labels, quality)
         metric_wifi_network_noise(labels, iw.noise(ifname) or 0)
         metric_wifi_network_bitrate(labels, iw.bitrate(ifname) or 0)
         metric_wifi_network_signal(labels, iw.signal(ifname) or -255)
         metric_wifi_clients(labels, wifi_clients)
+        metric_wifi_airtime_total(labels, hostapd_status.airtime.time)
+        metric_wifi_airtime_busy(labels, hostapd_status.airtime.time_busy)
+        metric_wifi_airtime_utilization(labels, hostapd_status.airtime.utilization)
       end
     end
   end

group_vars/aptype_aruba_ap_105.yml

@@ -0,0 +1,12 @@
+---
+radios:
+  radio0:
+    type:   "mac80211"
+    path:   "pci0000:00/0000:00:11.0"
+    band:   "2g"
+    htmode: "HT20"
+  radio1:
+    type:   "mac80211"
+    path:   "pci0000:00/0000:00:12.0"
+    band:   "5g"
+    htmode: "HT20"

group_vars/aptype_aruba_ap_303.yml

@@ -0,0 +1,12 @@
+---
+radios:
+  radio0:
+    type:   "mac80211"
+    path:   "platform/soc/a000000.wifi"
+    band:   "2g"
+    htmode: "HT20"
+  radio1:
+    type:   "mac80211"
+    path:   "platform/soc/a800000.wifi"
+    band:   "5g"
+    htmode: "VHT20"

playbook_create_switch_configs_stock.yml

@@ -12,5 +12,5 @@
 
     - name: generate configuration
       template:
-        src: templates/gs1900-10hp-stock.cfg.j2
+        src: templates/{{ sw_type }}-stock.cfg.j2
         dest: "switch-configs-stock/{{ inventory_hostname }}.cfg"

playbook_provision_accesspoints.yml

@@ -12,14 +12,26 @@
       notify:
         - "reload {{ item | basename }}"
 
+    - name: distribute custom wifi.lua
+      copy:
+        src: files/wifi.lua
+        dest: /usr/lib/lua/prometheus-collectors/wifi.lua
+        owner: root
+        group: root
+        mode: 0744
+      notify:
+        - restart prometheus-node-exporter-lua
+
   handlers:
     - name: reload network
       service:
         name: network
         state: reloaded
+      when: skip_wifi is not defined
 
     - name: reload wireless
       command: wifi reconf
+      when: skip_wifi is not defined
 
     - name: reload system
       service:
@@ -30,3 +42,8 @@
       service:
         name: lldpd
         state: reloaded
+
+    - name: restart prometheus-node-exporter-lua
+      service:
+        name: prometheus-node-exporter-lua
+        state: restarted

templates/accesspoints/etc/config/wireless

@@ -1,15 +1,20 @@
 
+{% set radio=radios['radio0'] %}
 config wifi-device 'radio0'
-        option type 'mac80211'
-        option path 'pci0000:00/0000:00:11.0'
-        option band '2g'
+        option type '{{ radio.type }}'
+        option path '{{ radio.path }}'
+        option band '{{ radio.band }}'
         option channel '{{ channel_2g | default(1) }}'
-        option htmode 'HT20'
+        option htmode '{{ radio.htmode }}'
         option country 'DE'
 {% if txpower_2g is defined %}
         option txpower '{{ txpower_2g }}'
 {% endif %}
+{% if disable_2g is defined %}
+        option disabled '1'
+{% else %}
         option disabled '0'
+{% endif %}
 
 config wifi-iface 'default_radio0'
         option device 'radio0'
@@ -33,17 +38,22 @@ config wifi-iface 'backoffice_radio0'
         option disabled '1'
 {% endif %}
 
+{% set radio=radios['radio1'] %}
 config wifi-device 'radio1'
-        option type 'mac80211'
-        option path 'pci0000:00/0000:00:12.0'
-        option band '5g'
+        option type '{{ radio.type }}'
+        option path '{{ radio.path }}'
+        option band '{{ radio.band }}'
         option channel '{{ channel_5g | default(36) }}'
-        option htmode 'HT20'
+        option htmode '{{ radio.htmode }}'
         option country 'DE'
 {% if txpower_5g is defined %}
         option txpower '{{ txpower_5g }}'
 {% endif %}
+{% if disable_5g is defined %}
+        option disabled '1'
+{% else %}
         option disabled '0'
+{% endif %}
 
 config wifi-iface 'default_radio1'
         option device 'radio1'

templates/gateways/ffl-ans-gw-core01/etc/config/network

@@ -22,30 +22,24 @@ config bridge-vlan 'mgmt_vlan'
         option vlan '1'
         option device 'switch'
         list ports 'eth1:u*'
-        list ports 'eth2:u*'
-        list ports 'eth3:u*'
 
 config bridge-vlan 'clients_vlan'
         option vlan '2'
         option device 'switch'
         list ports 'eth1:t'
-        list ports 'eth2:t'
-        list ports 'eth3:t'
+        list ports 'eth3:u*'
 
 config bridge-vlan 'wan_vlan'
         option vlan '3'
         option device 'switch'
         list ports 'eth0:u*'
         list ports 'eth1:t'
-        list ports 'eth2:t'
-        list ports 'eth3:t'
+        list ports 'eth2:u*'
 
 config bridge-vlan 'backoffice_vlan'
         option vlan '8'
         option device 'switch'
         list ports 'eth1:t'
-        list ports 'eth2:t'
-        list ports 'eth3:t'
 
 config interface 'mgmt'
         option device 'switch.1'

templates/gateways/gw-core01/etc/config/dhcp

@@ -17,6 +17,8 @@ config dnsmasq
 	option nonwildcard '1'
 	option localservice '1'
 	option ednspacket_max '1232'
+	option dnsforwardmax 300
+	option cachesize 900
 
 config dhcp 'mgmt'
 	option interface 'mgmt'

templates/gateways/gw-core01/etc/config/network

@@ -74,6 +74,9 @@ config interface 'clients'
 config interface 'wan'
         option device 'switch.3'
         option proto 'dhcp'
+        option peerdns '0'
+        list dns '9.9.9.9'
+        list dns '1.1.1.1'
 
 config interface 'wan6'
         option device 'switch.3'
@@ -105,7 +108,7 @@ config interface 'wg1'
         option mtu 1420
         option proto 'wireguard'
         option private_key "{{ lookup('passwordstore', 'wg/wg1/gw-core01') }}"
-        list addresses '10.64.52.118/32'
+        list addresses '10.64.70.162/32'
         option ip4table 'launder'
 
 config wireguard_wg1 'mullvad_fr'

templates/gateways/sax-rgs-gw-core01/etc/config/dhcp

@@ -0,0 +1,69 @@
+
+config dnsmasq
+	option domainneeded '1'
+	option boguspriv '1'
+	option filterwin2k '0'
+	option localise_queries '1'
+	option rebind_protection '0'
+	option rebind_localhost '1'
+	option local '/lan/'
+	option domain 'lan'
+	option expandhosts '1'
+	option nonegcache '0'
+	option authoritative '1'
+	option readethers '1'
+	option leasefile '/etc/dhcp.leases'
+	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
+	option nonwildcard '1'
+	option localservice '1'
+	option ednspacket_max '1232'
+
+config dhcp 'mgmt'
+	option interface 'mgmt'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+	option dhcpv4 'server'
+	option dhcpv6 'server'
+	option ra 'server'
+	option ra_slaac '1'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'clients'
+        option interface 'clients'
+        # from: 10.86.4.2
+        # to: 10.86.7.254
+        # start: 2
+        # limit: 1020
+        option start '2'
+        option limit '1020'
+        option leasetime '12h'
+        option dhcpv4 'server'
+        option dhcpv6 'server'
+        option ra 'server'
+        option ra_slaac '1'
+        list ra_flags 'managed-config'
+        list ra_flags 'other-config'
+
+config dhcp 'backoffice'
+	option interface 'backoffice'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+	option dhcpv4 'server'
+	option dhcpv6 'server'
+	option ra 'server'
+	option ra_slaac '1'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'wan'
+	option interface 'wan'
+	option ignore '1'
+
+config odhcpd 'odhcpd'
+	option maindhcp '0'
+	option leasefile '/tmp/hosts/odhcpd'
+	option leasetrigger '/usr/sbin/odhcpd-update'
+	option loglevel '4'

templates/gateways/sax-rgs-gw-core01/etc/config/firewall

@@ -0,0 +1,352 @@
+config defaults
+	option syn_flood	1
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
+
+config zone
+	option name		mgmt
+	list   network		'mgmt'
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+
+config zone
+	option name		clients
+	list network		clients
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+
+config zone
+	option name		backoffice
+	list   network		'backoffice'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+
+config zone
+	option name		launder
+	list network		wg4
+	list network		wg5
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq 		1
+	option mtu_fix		1
+
+config forwarding
+	option src		clients
+	option dest		launder
+
+config zone
+	option name		backbone
+	list network		wg3
+	option input		REJECT
+	option output 		ACCEPT
+	option forward		REJECT
+
+ config rule
+        option name             CLIENTS_Allow-DHCP
+        option src              clients
+        option proto            udp
+        option dest_port        67-68
+        option target           ACCEPT
+        option family           ipv4
+
+config rule
+        option name             CLIENTS_Allow-DNS
+        option src              clients
+        option proto            udp
+        option dest_port        53
+        option target           ACCEPT
+
+config rule
+	option name		From-BACKBONE-Allow-OSPF
+	option src		backbone
+	option proto		ospf
+	option target		ACCEPT
+
+config rule
+	option name		From-BACKBONE-Allow-Prometheus
+	option src		backbone
+	option proto		tcp
+	option dest_port	9100
+	option target		ACCEPT
+
+config rule
+	option name		From-BACKBONE-Into-MGMT-Allow-SNMP
+	option src		backbone
+	option dest		mgmt
+	option proto		udp
+	option dest_port	161
+	option target		ACCEPT
+
+config rule
+	option name		From-Any-Allow-SSH
+	option src		*
+	option proto		tcp
+	option dest_port	22
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-SSH
+	option src		*
+	option dest		mgmt
+	option proto		tcp
+	option dest_port	22
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-ICMP
+	option src		*
+	option dest		mgmt
+	option proto		icmp
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-Prometheus
+	option src		*
+	option dest		mgmt
+	option proto		tcp
+	option dest_port	9100
+	option target		ACCEPT
+
+config rule
+	option name		From-MGMT-Into-BACKBONE-Allow-Prometheus
+	option src		mgmt
+	option dest		backbone
+	option proto		tcp
+	option dest_port	9100
+	option target		ACCEPT
+
+config rule
+	option name		Into-MGMT-Allow-Prometheus-WebGUI-On-monitoring01
+	option src		*
+	option dest		mgmt
+	option proto		tcp
+	option dest_ip		10.84.1.51
+	option dest_port	9090
+	option target		ACCEPT
+
+config zone
+	option name		wan
+	list   network		'wan'
+	list   network		'wan6'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq		1
+	option mtu_fix		1
+
+config forwarding
+	option src		mgmt
+	option dest		wan
+
+config forwarding
+	option src		backoffice
+	option dest		wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option name		Allow-DHCP-Renew
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family		ipv4
+
+config rule
+	option name		Allow-Ping
+	option src		*
+	option proto		icmp
+	option icmp_type	echo-request
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IGMP
+	option src		wan
+	option proto		igmp
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+	option name		Allow-DHCPv6
+	option src		wan
+	option proto		udp
+	option src_ip		fc00::/6
+	option dest_ip		fc00::/6
+	option dest_port	546
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-MLD
+	option src		wan
+	option proto		icmp
+	option src_ip		fe80::/10
+	list icmp_type		'130/0'
+	list icmp_type		'131/0'
+	list icmp_type		'132/0'
+	list icmp_type		'143/0'
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Input
+	option src		wan
+	option proto	icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	list icmp_type		router-solicitation
+	list icmp_type		neighbour-solicitation
+	list icmp_type		router-advertisement
+	list icmp_type		neighbour-advertisement
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Forward
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IPSec-ESP
+	option src		wan
+	option dest		backoffice
+	option proto		esp
+	option target		ACCEPT
+
+config rule
+	option name		Allow-ISAKMP
+	option src		wan
+	option dest		backoffice
+	option dest_port	500
+	option proto		udp
+	option target		ACCEPT
+
+config rule
+	option name		WAN_Allow-SSH
+	option src		wan
+	option dest_port	22
+	option proto		tcp
+	option target		ACCEPT
+
+# allow interoperability with traceroute classic
+# note that traceroute uses a fixed port range, and depends on getting
+# back ICMP Unreachables.  if we're operating in DROP mode, it won't
+# work so we explicitly REJECT packets on these ports.
+config rule
+	option name		Support-UDP-Traceroute
+	option src		wan
+	option dest_port	33434:33689
+	option proto		udp
+	option family		ipv4
+	option target		REJECT
+	option enabled		false
+
+config rule
+	option name		BACKOFFICE_Allow-DHCP
+	option src		backoffice
+	option proto		udp
+	option dest_port	67-68
+	option target		ACCEPT
+	option family		ipv4
+
+config rule
+	option name		BACKOFFICE_Allow-DNS
+	option src		backoffice
+	option proto		udp
+	option dest_port	53
+	option target		ACCEPT
+	option family		ipv4
+
+
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#	option src		mgmt
+#	option src_ip	192.168.45.2
+#	option dest		wan
+#	option proto	tcp
+#	option target	REJECT
+
+# block a specific mac on wan
+#config rule
+#	option dest		wan
+#	option src_mac	00:11:22:33:44:66
+#	option target	REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+#	option src		mgmt
+#	option proto	ICMP
+#	option target	DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+#	option src			wan
+#	option src_dport	80
+#	option dest			lan
+#	option dest_ip		192.168.16.235
+#	option dest_port	80
+#	option proto		tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
+
+### FULL CONFIG SECTIONS
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port	80
+#	option dest		wan
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
+#	option target	REJECT
+
+#config redirect
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port		1024
+#	option src_dport	80
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp

templates/gateways/sax-rgs-gw-core01/etc/config/network

@@ -0,0 +1,141 @@
+
+config interface 'loopback'
+        option device 'lo'
+        option proto 'static'
+        option ipaddr '127.0.0.1'
+        option netmask '255.0.0.0'
+
+config globals 'globals'
+        option packet_steering '1'
+
+config device 'switch'
+        option name 'switch'
+        option type 'bridge'
+        option vlan_filtering 1
+        list ports 'eth0'
+        list ports 'eth1'
+        list ports 'eth2'
+        list ports 'eth3'
+        list ports 'eth4'
+        list ports 'eth5'
+        list ports 'eth6'
+        list ports 'eth7'
+
+config bridge-vlan 'mgmt_vlan'
+        option vlan '1'
+        option device 'switch'
+        list ports 'eth1:u*'
+        list ports 'eth2:u*'
+        list ports 'eth3:u*'
+        list ports 'eth4:u*'
+        list ports 'eth5:u*'
+        list ports 'eth6:u*'
+
+config bridge-vlan 'clients_vlan'
+        option vlan '2'
+        option device 'switch'
+        list ports 'eth1:t'
+        list ports 'eth2:t'
+        list ports 'eth3:t'
+        list ports 'eth4:t'
+        list ports 'eth5:t'
+        list ports 'eth6:t'
+
+config bridge-vlan 'wan_vlan'
+        option vlan '3'
+        option device 'switch'
+        list ports 'eth0:u*'
+
+config bridge-vlan 'backoffice_vlan'
+        option vlan '8'
+        option device 'switch'
+        list ports 'eth1:t'
+        list ports 'eth2:t'
+        list ports 'eth3:t'
+        list ports 'eth4:t'
+        list ports 'eth5:t'
+        list ports 'eth6:t'
+        list ports 'eth7:u*'
+
+config interface 'mgmt'
+        option device 'switch.1'
+        option proto 'static'
+        option ipaddr '10.86.1.1'
+        option netmask '255.255.255.0'
+
+config interface 'wan'
+        option device 'switch.3'
+        option proto 'dhcp'
+
+config interface 'wan6'
+        option device 'switch.3'
+        option proto 'dhcpv6'
+
+config interface 'clients'
+        option device 'switch.2'
+        option proto 'static'
+        option ipaddr '10.86.4.1'
+        option netmask '255.255.252.0'
+
+config interface 'backoffice'
+        option device 'switch.8'
+        option proto 'static'
+        option ipaddr '10.86.8.1'
+        option netmask '255.255.255.0'
+
+config interface 'wg3'
+        option proto 'wireguard'
+        option private_key "{{ lookup('passwordstore', 'wg/wg3/sax-rgs-gw-core01') }}"
+        option listen_port 51823
+        option mtu 1350
+        list addresses '10.86.254.1/31'
+        option disabled '0'
+
+config wireguard_wg3 'eap_adp_jump01'
+        option public_key "{{ lookup('passwordstore', 'wg/wg3/eae-adp-jump01.pub') }}"
+        option preshared_key "{{ lookup('passwordstore', 'wg/wg3/psk') }}"
+        option endpoint_host '162.55.53.85'
+        option endpoint_port '51823'
+        option route_allowed_ips '0'
+        option persistent_keepalive 15
+        list allowed_ips '0.0.0.0/0'
+
+config interface 'wg4'
+        option proto 'wireguard'
+        option private_key "{{ lookup('passwordstore', 'wg/wg4/sax-rgs-gw-core01') }}"
+        list addresses 'fe80:2131:27:189::2/64'
+        option disabled '0'
+
+# routes 2a0e:8f02:f000:2e61::1/64 to the link-local of wg4
+config wireguard_wg4 'core_mowoe_com'
+        option public_key "{{ lookup('passwordstore', 'wg/wg4/core.mowoe.com.pub') }}"
+        option endpoint_host 'core.mowoe.com'
+        option endpoint_port '51821'
+        option route_allowed_ips '0'
+        option persistent_keepalive 15
+        list allowed_ips '::/0'
+
+config interface 'wg5'
+        option ip4table 'launder'
+        option proto 'wireguard'
+        option private_key "{{ lookup('passwordstore', 'wg/wg5/sax-rgs-gw-core01') }}"
+        list addresses '10.67.171.28'
+        option disabled '0'
+
+config wireguard_wg5 'mullvad'
+        option public_key "{{ lookup('passwordstore', 'wg/wg5/mullvad.pub') }}"
+        option endpoint_host '146.70.117.162'
+        option endpoint_port '51820'
+        option route_allowed_ips '1'
+        option persistent_keepalive 15
+        list allowed_ips '0.0.0.0/0'
+
+config rule
+        option in 'clients'
+        option lookup 'launder'
+        option priority 50
+
+config rule
+        option in 'clients'
+        option action prohibit
+        option priority 51

templates/gateways/sax-rgs-gw-core01/etc/frr/frr.conf

@@ -0,0 +1,16 @@
+password zebra
+!
+router ospf
+  redistribute connected
+!
+log syslog
+!
+interface wg3
+  ip ospf area 0
+  ip ospf network point-to-point
+!
+access-list vty permit 127.0.0.0/8
+access-list vty deny any
+!
+line vty
+ access-class vty

templates/gateways/sax-rgs-gw-core01/etc/iproute2/rt_tables

@@ -0,0 +1,13 @@
+#
+# reserved values
+#
+128	prelocal
+255	local
+254	main
+253	default
+0	unspec
+20	launder
+#
+# local
+#
+#1	inr.ruhep

templates/grafana/dashboards/dashboard_overview_community_accomodations.json

@@ -1,53 +1,38 @@
 {
-  "__inputs": [],
-  "__requires": [
-    {
-      "type": "panel",
-      "id": "bargauge",
-      "name": "Bar gauge",
-      "version": ""
-    },
-    {
-      "type": "panel",
-      "id": "gauge",
-      "name": "Gauge",
-      "version": ""
-    },
-    {
-      "type": "grafana",
-      "id": "grafana",
-      "name": "Grafana",
-      "version": "7.5.11"
-    },
-    {
-      "type": "panel",
-      "id": "graph",
-      "name": "Graph",
-      "version": ""
-    }
-  ],
   "annotations": {
     "list": [
       {
         "builtIn": 1,
-        "datasource": "-- Grafana --",
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
         "enable": true,
         "hide": true,
         "iconColor": "rgba(0, 211, 255, 1)",
         "name": "Annotations & Alerts",
+        "target": {
+          "limit": 100,
+          "matchAny": false,
+          "tags": [],
+          "type": "dashboard"
+        },
         "type": "dashboard"
       }
     ]
   },
   "editable": true,
-  "gnetId": null,
+  "fiscalYearStartMonth": 0,
   "graphTooltip": 0,
-  "id": null,
-  "iteration": 1669161748754,
+  "id": 4,
   "links": [],
+  "liveNow": false,
   "panels": [
     {
-      "datasource": null,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "aUZtGMdVk"
+      },
       "gridPos": {
         "h": 1,
         "w": 24,
@@ -55,6 +40,15 @@
         "y": 0
       },
       "id": 11,
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
+          "refId": "A"
+        }
+      ],
       "title": "Internet",
       "type": "row"
     },
@@ -63,7 +57,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": null,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "aUZtGMdVk"
+      },
       "fieldConfig": {
         "defaults": {
           "unit": "bps"
@@ -96,7 +93,7 @@
         "alertThreshold": true
       },
       "percentage": false,
-      "pluginVersion": "7.5.11",
+      "pluginVersion": "9.0.6",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -112,6 +109,10 @@
       "steppedLine": false,
       "targets": [
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "irate(node_network_receive_bytes_total{site=\"$site\",job=\"gateways\",device=\"eth0\"}[$__rate_interval]) * 8",
           "interval": "",
@@ -119,6 +120,10 @@
           "refId": "rx"
         },
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "irate(node_network_transmit_bytes_total{site=\"$site\",job=\"gateways\",device=\"eth0\"}[$__rate_interval]) * 8",
           "hide": false,
@@ -128,9 +133,7 @@
         }
       ],
       "thresholds": [],
-      "timeFrom": null,
       "timeRegions": [],
-      "timeShift": null,
       "title": "upstream bandwith",
       "tooltip": {
         "shared": true,
@@ -139,37 +142,31 @@
       },
       "type": "graph",
       "xaxis": {
-        "buckets": null,
         "mode": "time",
-        "name": null,
         "show": true,
         "values": []
       },
       "yaxes": [
         {
           "format": "bps",
-          "label": null,
           "logBase": 1,
-          "max": null,
-          "min": null,
           "show": true
         },
         {
           "format": "short",
-          "label": null,
           "logBase": 1,
-          "max": null,
-          "min": null,
           "show": true
         }
       ],
       "yaxis": {
-        "align": false,
-        "alignLevel": null
+        "align": false
       }
     },
     {
-      "datasource": null,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "aUZtGMdVk"
+      },
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -199,6 +196,8 @@
       "id": 9,
       "options": {
         "displayMode": "gradient",
+        "minVizHeight": 10,
+        "minVizWidth": 0,
         "orientation": "vertical",
         "reduceOptions": {
           "calcs": [
@@ -210,9 +209,13 @@
         "showUnfilled": true,
         "text": {}
       },
-      "pluginVersion": "7.5.11",
+      "pluginVersion": "9.0.6",
       "targets": [
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "increase(node_network_receive_bytes_total{site=\"$site\",job=\"gateways\",device=~\"eth0\"}[$__range])",
           "instant": true,
@@ -221,6 +224,10 @@
           "refId": "A"
         },
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "increase(node_network_transmit_bytes_total{site=\"$site\",job=\"gateways\",device=~\"eth0\"}[$__range])",
           "hide": false,
@@ -236,7 +243,10 @@
     },
     {
       "collapsed": false,
-      "datasource": null,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "aUZtGMdVk"
+      },
       "gridPos": {
         "h": 1,
         "w": 24,
@@ -245,6 +255,15 @@
       },
       "id": 5,
       "panels": [],
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
+          "refId": "A"
+        }
+      ],
       "title": "Wifi",
       "type": "row"
     },
@@ -253,10 +272,9 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": null,
-      "fieldConfig": {
-        "defaults": {},
-        "overrides": []
+      "datasource": {
+        "type": "prometheus",
+        "uid": "aUZtGMdVk"
       },
       "fill": 1,
       "fillGradient": 0,
@@ -285,7 +303,7 @@
         "alertThreshold": true
       },
       "percentage": false,
-      "pluginVersion": "7.5.11",
+      "pluginVersion": "9.0.6",
       "pointradius": 2,
       "points": false,
       "renderer": "flot",
@@ -295,6 +313,10 @@
       "steppedLine": false,
       "targets": [
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "sum (wifi_network_clients{site=\"$site\"})",
           "interval": "",
@@ -303,9 +325,7 @@
         }
       ],
       "thresholds": [],
-      "timeFrom": null,
       "timeRegions": [],
-      "timeShift": null,
       "title": "wifi clients over time",
       "tooltip": {
         "shared": true,
@@ -314,37 +334,126 @@
       },
       "type": "graph",
       "xaxis": {
-        "buckets": null,
         "mode": "time",
-        "name": null,
         "show": true,
         "values": []
       },
       "yaxes": [
         {
           "format": "short",
-          "label": null,
           "logBase": 1,
-          "max": null,
-          "min": null,
           "show": true
         },
         {
           "format": "short",
-          "label": null,
           "logBase": 1,
-          "max": null,
-          "min": null,
           "show": true
         }
       ],
       "yaxis": {
-        "align": false,
-        "alignLevel": null
+        "align": false
       }
     },
     {
-      "datasource": null,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "aUZtGMdVk"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "area"
+            }
+          },
+          "mappings": [],
+          "max": 1,
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "#EAB839",
+                "value": 0.5
+              },
+              {
+                "color": "red",
+                "value": 0.7
+              }
+            ]
+          },
+          "unit": "percentunit"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 24,
+        "x": 0,
+        "y": 13
+      },
+      "id": 21,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "table",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
+          "editorMode": "code",
+          "expr": "sum(increase(wifi_network_airtime_busy{site=\"$site\"}[$__rate_interval])) by (instance,device) / sum(increase(wifi_network_airtime_total{site=\"$site\"}[$__rate_interval])) by (instance,device)",
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "wifi airtime utilization",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "aUZtGMdVk"
+      },
       "description": "",
       "fieldConfig": {
         "defaults": {
@@ -370,11 +479,13 @@
         "h": 8,
         "w": 12,
         "x": 0,
-        "y": 13
+        "y": 21
       },
       "id": 3,
       "options": {
         "displayMode": "gradient",
+        "minVizHeight": 10,
+        "minVizWidth": 0,
         "orientation": "horizontal",
         "reduceOptions": {
           "calcs": [
@@ -386,9 +497,13 @@
         "showUnfilled": true,
         "text": {}
       },
-      "pluginVersion": "7.5.11",
+      "pluginVersion": "9.0.6",
       "targets": [
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "sort(sum (wifi_network_clients{site=\"$site\"}) by (location))",
           "hide": false,
@@ -398,6 +513,10 @@
           "refId": "by all"
         },
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "sum (wifi_network_clients{site=\"$site\"})",
           "hide": false,
@@ -411,7 +530,10 @@
       "type": "bargauge"
     },
     {
-      "datasource": null,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "aUZtGMdVk"
+      },
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -439,11 +561,13 @@
         "h": 8,
         "w": 12,
         "x": 12,
-        "y": 13
+        "y": 21
       },
       "id": 13,
       "options": {
         "displayMode": "gradient",
+        "minVizHeight": 10,
+        "minVizWidth": 0,
         "orientation": "horizontal",
         "reduceOptions": {
           "calcs": [
@@ -455,9 +579,13 @@
         "showUnfilled": true,
         "text": {}
       },
-      "pluginVersion": "7.5.11",
+      "pluginVersion": "9.0.6",
       "targets": [
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "sort(sum (wifi_network_clients{site=\"$site\"}) by (instance))",
           "instant": true,
@@ -479,7 +607,10 @@
       "type": "bargauge"
     },
     {
-      "datasource": null,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "aUZtGMdVk"
+      },
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -504,10 +635,11 @@
         "h": 7,
         "w": 18,
         "x": 0,
-        "y": 21
+        "y": 29
       },
       "id": 17,
       "options": {
+        "orientation": "auto",
         "reduceOptions": {
           "calcs": [
             "lastNotNull"
@@ -519,9 +651,13 @@
         "showThresholdMarkers": true,
         "text": {}
       },
-      "pluginVersion": "7.5.11",
+      "pluginVersion": "9.0.6",
       "targets": [
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "sort(wifi_network_bitrate{site=\"$site\"} != 0)",
           "instant": true,
@@ -557,7 +693,10 @@
       "type": "gauge"
     },
     {
-      "datasource": null,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "aUZtGMdVk"
+      },
       "fieldConfig": {
         "defaults": {
           "color": {
@@ -585,11 +724,13 @@
         "h": 7,
         "w": 6,
         "x": 18,
-        "y": 21
+        "y": 29
       },
       "id": 15,
       "options": {
         "displayMode": "gradient",
+        "minVizHeight": 10,
+        "minVizWidth": 0,
         "orientation": "auto",
         "reduceOptions": {
           "calcs": [
@@ -601,9 +742,13 @@
         "showUnfilled": true,
         "text": {}
       },
-      "pluginVersion": "7.5.11",
+      "pluginVersion": "9.0.6",
       "targets": [
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "sum(wifi_network_clients{site=\"$site\",device=\"radio0\"})",
           "interval": "",
@@ -611,6 +756,10 @@
           "refId": "A"
         },
         {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "aUZtGMdVk"
+          },
           "exemplar": true,
           "expr": "sum(wifi_network_clients{site=\"$site\",device=\"radio1\"})",
           "hide": false,
@@ -624,51 +773,49 @@
     }
   ],
   "refresh": false,
-  "schemaVersion": 27,
+  "schemaVersion": 36,
   "style": "dark",
   "tags": [],
   "templating": {
     "list": [
       {
-        "allValue": null,
         "current": {
           "selected": true,
           "text": "adp",
           "value": "adp"
         },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "aUZtGMdVk"
+        },
+        "definition": "label_values(wifi_network_clients, site)",
         "description": "which site ?",
-        "error": null,
         "hide": 0,
         "includeAll": false,
         "label": "Einrichtung",
         "multi": false,
         "name": "site",
-        "options": [
-          {
-            "selected": true,
-            "text": "adp",
-            "value": "adp"
-          },
-          {
-            "selected": false,
-            "text": "ans",
-            "value": "ans"
-          }
-        ],
-        "query": "adp,ans",
-        "queryValue": "",
+        "options": [],
+        "query": {
+          "query": "label_values(wifi_network_clients, site)",
+          "refId": "StandardVariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
         "skipUrlSync": false,
-        "type": "custom"
+        "sort": 0,
+        "type": "query"
       }
     ]
   },
   "time": {
-    "from": "now-24h",
+    "from": "now-3h",
     "to": "now"
   },
   "timepicker": {},
   "timezone": "",
   "title": "Übersicht Gemeinschaftsunterkünfte",
   "uid": "1O2tNMOVk",
-  "version": 7
+  "version": 4,
+  "weekStart": ""
 }

templates/hostname.wg3

@@ -0,0 +1,5 @@
+inet 10.86.254.0/31
+mtu 1350
+wgport 51823
+wgkey {{ lookup('passwordstore', 'wg/wg3/eae-adp-jump01') }}
+wgpeer {{ lookup('passwordstore', 'wg/wg3/sax-rgs-gw-core01.pub') }} wgpsk {{ lookup('passwordstore', 'wg/wg3/psk') }} wgaip 0.0.0.0/0

templates/prometheus.yml

@@ -38,9 +38,16 @@ scrape_configs:
 
   - job_name: 'snmp'
     static_configs:
-      - targets:
 {% for host in groups['switches_stock'] %}
-          - {{ hostvars[host]['ip'] }}
+      - targets: ["{{ hostvars[host]['ip'] }}"]
+        labels:
+          instance: "{{ host }}"
+{% if hostvars[host]['site'] is defined %}
+          site: "{{ hostvars[host]['site'] }}"
+{% endif %}
+{% if hostvars[host]['location'] is defined %}
+          location: "{{ hostvars[host]['location'] }}"
+{% endif %}
 {% endfor %}
     metrics_path: /snmp
     params:
@@ -48,8 +55,6 @@ scrape_configs:
     relabel_configs:
       - source_labels: [__address__]
         target_label: __param_target
-      - source_labels: [__param_target]
-        target_label: instance
       - target_label: __address__
         replacement: 127.0.0.1:9116  # The SNMP exporter's real hostname:port.
 

templates/s2800s-8t2f-p-stock.cfg.j2

@@ -0,0 +1,151 @@
+SYSTEM CONFIG FILE ::= BEGIN
+! System Description: S2800S-8T2F-P Switch
+! System Version: v27272
+! System Name:
+! System Up Time:
+!
+!
+cpu-protect cpu bandwidth 500
+cpu-protect sub-interface manage pps 500
+cpu-protect sub-interface route pps 200
+cpu-protect sub-interface protocol pps 500
+username web admin password "{{ lookup('passwordstore', 'switches/{{ inventory_hostname }}') }}"
+web-login-time 14400
+web-language en
+web http port 80
+!
+!
+!
+system name "{{ inventory_hostname }}"
+ip default-gateway 10.86.1.1
+no easycwmp acs enable
+easycwmp acs periodic_enable
+easycwmp acs periodic_interval 60
+username "admin" privilege user password "{{ lookup('passwordstore', 'switches/{{ inventory_hostname }}') }}"
+vlan 2
+ description "clients"
+vlan 8
+ description "backoffice"
+management-vlan enable
+voice-vlan oui-table 00:E0:BB:00:00:00 mask FF:FF:FF:00:00:00 "3COM"
+voice-vlan oui-table 00:03:6B:00:00:00 mask FF:FF:FF:00:00:00 "Cisco"
+voice-vlan oui-table 00:E0:75:00:00:00 mask FF:FF:FF:00:00:00 "Veritel"
+voice-vlan oui-table 00:D0:1E:00:00:00 mask FF:FF:FF:00:00:00 "Pingtel"
+voice-vlan oui-table 00:01:E3:00:00:00 mask FF:FF:FF:00:00:00 "Siemens"
+voice-vlan oui-table 00:60:B9:00:00:00 mask FF:FF:FF:00:00:00 "NEC/Philips"
+voice-vlan oui-table 00:0F:E2:00:00:00 mask FF:FF:FF:00:00:00 "Huawei-3COM"
+voice-vlan oui-table 00:09:6E:00:00:00 mask FF:FF:FF:00:00:00 "Avaya"
+!
+!
+surveillance-vlan vlan 4095
+!
+!
+!
+!
+!
+!
+!
+eee interface gi0/1
+eee interface gi0/2
+eee interface gi0/3
+eee interface gi0/4
+eee interface gi0/5
+eee interface gi0/6
+eee interface gi0/7
+eee interface gi0/8
+no ip igmp snooping vlan 1 fast-leave enable
+no ipv6 mld snooping vlan 1 fast-leave enable
+!
+!
+snmp community "public"  ro
+snmp community "private" rw
+snmp enable
+!
+!
+!
+!
+!
+no ip telnet
+ip ssh
+ip ssh v1
+ip ssh v2
+ip http
+ip https
+!
+!
+dhcp-snooping vlan 1-4094
+arp-inspection vlan 1-4094
+!
+!
+!
+!
+interface gi0/1
+ switch mode trunk
+ switch trunk native vlan 1
+ flowcontrol on
+ poe max-power 35
+ poe alloc-power 35
+!
+interface gi0/2
+ switch mode trunk
+ switch trunk native vlan 1
+ poe max-power 15.4
+ poe alloc-power 35
+!
+interface gi0/3
+ switch mode trunk
+ switch trunk native vlan 1
+ poe max-power 35
+ poe alloc-power 0
+!
+interface gi0/4
+ switch mode trunk
+ switch trunk native vlan 1
+ poe max-power 35
+ poe alloc-power 0
+!
+interface gi0/5
+ switch mode trunk
+ switch trunk native vlan 1
+ poe max-power 35
+ poe alloc-power 0
+!
+interface gi0/6
+ switch mode trunk
+ switch trunk native vlan 1
+ poe max-power 35
+ poe alloc-power 0
+!
+interface gi0/7
+ switch mode trunk
+ switch trunk native vlan 1
+ poe max-power 35
+ poe alloc-power 0
+!
+interface gi0/8
+ switch mode trunk
+ switch trunk native vlan 1
+ poe max-power 35
+ poe alloc-power 0
+!
+interface gi0/9
+ switch mode trunk
+ switch trunk native vlan 1
+!
+interface gi0/10
+ switch mode trunk
+ switch trunk native vlan 1
+!
+!
+!
+!
+interface vlan 1
+ ip address {{ ip }}  mask 255.255.255.0
+ip default-gateway 10.86.1.1
+ip dhcpserver gate-way 192.168.1.254
+ip dhcpserver pool 192.168.1.11-192.168.1.200
+ip dhcpserver mask 255.255.255.0
+ip dhcpserver major 8.8.8.8
+ip dhcpserver minor 0.0.0.0
+ip dhcpserver leasetime 1200
+!