add backoffice wifi

documentation: fix IPAM typo for client v4 space
2022-08-22 15:53:37 +02:00 · 2022-08-21 22:23:30 +02:00
5 changed files with 133 additions and 9 deletions
--- a/documentation/INCIDENTS.md
+++ b/documentation/INCIDENTS.md
@ -174,3 +174,97 @@ No internet access for ~2 weeks

 **solution**:
 `Saxonia Catering` entered into an internet contract with Vodafone
+
+
+008: 2022.08.13 ~13:30 | (maintenance) add backoffice wifi
+----------------------------------------------------------
+
+The facility managemend asked us if we could build a backoffice wifi that is inaccessible from the rest of the network.
+
+vlan: `8`
+subnet: `10.84.8.1/24`
+wifi ssid: `GU Deutscher Platz Backoffice`
+wifi password: `wifi/GU_Deutscher_Platz_Backoffice` in `pass`
+
+**impact**:
+* `gw-core01` and `sw-access0{1,2}` only got reloaded (so no downtime)
+* on `ap-XXXX`s networking restarted so the wifi was unavailable for a few seconds
+=> either way there was no upstream internet connectivity at this time (see incidents `007` for details) so impact implications are irrelevant
+
+**changes**:
+* `sw-access0{1,2}`:
+```
+root@sw-access01:~# cat >> /etc/config/network << EOF
+config bridge-vlan 'backoffice_vlan'
+	option device 'switch'
+	option vlan '8'
+	option ports 'lan1:t lan2:t lan3:t lan4:t lan5:t lan6:t lan7:t lan8:t'
+EOF
+root@sw-access01:~# /etc/init.d/network reload
+```
+
+* `gw-core01`:
+```
+root@gw-core01:~# cat >> /etc/config/network << EOF
+config bridge-vlan 'backoffice_vlan'
+        option vlan '8'
+        option device 'switch'
+        list ports 'eth2:t'
+        list ports 'eth3:t'
+        list ports 'eth4:t'
+
+config interface 'backoffice'
+        option device 'switch.8'
+        option proto 'static'
+        option ipaddr '10.84.8.1'
+        option netmask '255.255.255.0'
+EOF
+root@gw-core01:~#
+root@gw-core01:~# cat >> /etc/config/firewall << EOF
+config zone
+        option name             backoffice
+        list   network          'backoffice'
+        option input            REJECT
+        option output           ACCEPT
+        option forward          REJECT
+
+config forwarding
+        option src              backoffice
+        option dest             wan
+
+config rule
+        option name             BACKOFFICE_Allow-DHCP
+        option src              backoffice
+        option proto            udp
+        option dest_port        67-68
+        option target           ACCEPT
+        option family           ipv4
+
+config rule
+        option name             BACKOFFICE_Allow-DNS
+        option src              backoffice
+        option proto            udp
+        option dest_port        53
+        option target           ACCEPT
+        option family           ipv4
+EOF
+root@gw-core01:~#
+root@gw-core01:~# cat >> /etc/config/dhcp << EOF
+config dhcp 'backoffice'
+        option interface 'backoffice'
+        option start '100'
+        option limit '150'
+        option leasetime '12h'
+        option dhcpv4 'server'
+        option dhcpv6 'server'
+        option ra 'server'
+        option ra_slaac '1'
+        list ra_flags 'managed-config'
+        list ra_flags 'other-config'
+EOF
+root@gw-core01:~#
+root@gw-core01:~# /etc/init.d/network reload
+root@gw-core01:~# /etc/init.d/firewall restart
+root@gw-core01:~# /etc/init.d/dnsmasq reload
+```
+* `ap-XXXX`: see `playbook_provision_accesspoints.yml`
--- a/documentation/OVERVIEW.md
+++ b/documentation/OVERVIEW.md
@ -46,19 +46,21 @@ Cloud VMs:
 Networks:
 ---------

-| Name       | VLAN | v4 Space          | v6 Space | Description                                                           |
-| ---------- | ---- | ----------------- | -------- | --------------------------------------------------------------------- |
-| `mgmt`     |   1  | `10.84.1.0/24`    | /        | default network which is used for administrative and monitoring tasks |
-| `clients`  |   2  | `10.84.2.0/22`    | /        | this is where the wifi clients live                                   |
-| `wan`      |   3  | `192.168.0.0/24`  | /        | created by the gigacube. wan for our gateway                          |
-| `backbone` |   /  | `10.84.254.0/30`  | /        | tunnel network between `gw-core01` and `eae-adp-jump01`               |
+| Name         | VLAN | v4 Space          | v6 Space | Description                                                           |
+| ------------ | ---- | ----------------- | -------- | --------------------------------------------------------------------- |
+| `mgmt`       |   1  | `10.84.1.0/24`    | /        | default network which is used for administrative and monitoring tasks |
+| `clients`    |   2  | `10.84.4.0/22`    | /        | this is where the wifi clients live                                   |
+| `wan`        |   3  | `192.168.0.0/24`  | /        | created by the gigacube. wan for our gateway                          |
+| `backbone`   |   /  | `10.84.254.0/30`  | /        | tunnel network between `gw-core01` and `eae-adp-jump01`               |
+| `backoffice` |   8  | `10.84.8.0/24`    | /        | backoffice network for the orga                                       |

 WiFi Networks:
 --------------

-| SSID                 | Encryption | VLAN | Description |
-| -------------------- | ---------- | ---- | ----------- |
-| `GU Deutscher Platz` | /          | 2    |             |
+| SSID                            | Encryption | VLAN | Description |
+| ------------------------------- | ---------- | ---- | ----------- |
+| `GU Deutscher Platz`            | /          | 2    |             |
+| `GU Deutscher Platz Backoffice` | wpa2 psk   | 8    |             |

 Remote Access / VPN:
 --------------------
--- a/password-store/wifi/GU_Deutscher_Platz_Backoffice.gpg
+++ b/password-store/wifi/GU_Deutscher_Platz_Backoffice.gpg
--- a/playbook_provision_accesspoints.yml
+++ b/playbook_provision_accesspoints.yml
@ -16,6 +16,18 @@
      notify:
        - reload network

+    - name: create backoffice bridge (vlan)
+      blockinfile:
+        path: /etc/config/network
+        block: |
+          config interface 'backoffice'
+            option type 'bridge'
+            option ifname 'eth0.8'
+        marker_begin: BACKOFFICE_NETWORK_BEGIN
+        marker_end:   BACKOFFICE_NETWORK_END
+      notify:
+        - reload network
+
    - name: configure wireless
      template:
        src: templates/aruba-ap-105_wireless.j2
--- a/templates/aruba-ap-105_wireless.j2
+++ b/templates/aruba-ap-105_wireless.j2
@ -21,6 +21,14 @@ config wifi-iface 'default_radio0'
        option key '{{ wifi_psk }}'
 {% endif %}

+config wifi-iface 'backoffice_radio0'
+        option device 'radio0'
+        option network 'backoffice'
+        option mode 'ap'
+        option ssid 'GU Deutscher Platz Backoffice'
+        option encryption 'psk2'
+        option key "{{ lookup('passwordstore', 'wifi/GU_Deutscher_Platz_Backoffice') }}"
+
 config wifi-device 'radio1'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:12.0'
@ -42,3 +50,11 @@ config wifi-iface 'default_radio1'
 {% if wifi_psk is defined %}
        option key '{{ wifi_psk }}'
 {% endif %}
+
+config wifi-iface 'backoffice_radio1'
+        option device 'radio1'
+        option network 'backoffice'
+        option mode 'ap'
+        option ssid 'GU Deutscher Platz Backoffice'
+        option encryption 'psk2'
+        option key "{{ lookup('passwordstore', 'wifi/GU_Deutscher_Platz_Backoffice') }}"
Author	SHA1	Message	Date
Gregor Michels	b96fa8542c	add backoffice wifi	2022-08-22 15:53:37 +02:00
Gregor Michels	dc5be9eacf	documentation: fix IPAM typo for client v4 space	2022-08-21 22:23:30 +02:00