summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2022-12-24 01:58:59 +0100
committerChristian Pointner <equinox@spreadspace.org>2022-12-25 03:16:39 +0100
commita88ce7b965c1d4c03aac02c1c8be819cff0f9f6e (patch)
tree5af2982447fe3ee7659de124cb2561eba65548d0
parentx509/uacme: implement self-signed interim certificate (diff)
mz-(router|ap): upgrade to openwrt 22.03.2
-rw-r--r--files/common/openwrt/list-stations14
-rw-r--r--inventory/group_vars/accesspoints/vars.yml16
-rw-r--r--inventory/host_vars/mz-ap.yml72
-rw-r--r--inventory/host_vars/mz-router.yml152
4 files changed, 155 insertions, 99 deletions
diff --git a/files/common/openwrt/list-stations b/files/common/openwrt/list-stations
new file mode 100644
index 00000000..6cd21671
--- /dev/null
+++ b/files/common/openwrt/list-stations
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+interfaces=$(iw dev | grep "Interface " | cut -d ' ' -f2 | sort)
+
+for interface in $interfaces; do
+ bssid=$(iw $interface info | grep "addr " | cut -d ' ' -f2)
+ essid=$(iw $interface info | grep "ssid " | cut -d ' ' -f2-)
+ channel=$(iw $interface info | grep "channel " | cut -d ' ' -f2-)
+ echo "$interface ($bssid, ssid: '$essid', channel: $channel)"
+ iw $interface station dump | grep "^Station" | awk '{ print(" - "$2) }'
+ echo ""
+done
+
+exit 0
diff --git a/inventory/group_vars/accesspoints/vars.yml b/inventory/group_vars/accesspoints/vars.yml
index 0c5e5c53..1a841e13 100644
--- a/inventory/group_vars/accesspoints/vars.yml
+++ b/inventory/group_vars/accesspoints/vars.yml
@@ -291,21 +291,7 @@ openwrt_mixin:
/usr/bin/list-stations:
mode: "0755"
- content: |
- #!/bin/sh
-
- interfaces=$(iw dev | grep "Interface " | cut -d ' ' -f2 | sort)
-
- for interface in $interfaces; do
- bssid=$(iw $interface info | grep "addr " | cut -d ' ' -f2)
- essid=$(iw $interface info | grep "ssid " | cut -d ' ' -f2-)
- channel=$(iw $interface info | grep "channel " | cut -d ' ' -f2-)
- echo "$interface ($bssid, ssid: '$essid', channel: $channel)"
- iw $interface station dump | grep "^Station" | awk '{ print(" - "$2) }'
- echo ""
- done
-
- exit 0
+ file: "{{ global_files_dir }}/common/openwrt/list-stations"
openwrt_uci_base:
diff --git a/inventory/host_vars/mz-ap.yml b/inventory/host_vars/mz-ap.yml
index faefd444..974de8a1 100644
--- a/inventory/host_vars/mz-ap.yml
+++ b/inventory/host_vars/mz-ap.yml
@@ -1,20 +1,21 @@
---
-openwrt_variant: openwrt
-openwrt_release: 18.06.2
-openwrt_arch: ar71xx
+openwrt_arch: ath79
openwrt_target: generic
-openwrt_profile: tl-wdr3500-v1
+openwrt_profile: tplink_tl-wdr3500-v1
openwrt_output_image_suffixes:
- - "generic-{{ openwrt_profile }}-squashfs-sysupgrade.bin"
+ - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin"
openwrt_packages_remove:
- ppp
- ppp-mod-pppoe
- dnsmasq
- firewall
+ - firewall4
- odhcpd
- odhcpd-ipv6only
+ - wpad-basic-wolfssl
openwrt_packages_add:
+ - wpad-wolfssl
- haveged
- htop
- ip
@@ -29,12 +30,28 @@ openwrt_packages_add:
openwrt_mixin:
+ /etc/sysctl.conf:
+ content: |
+ # Defaults are configured in /etc/sysctl.d/* and can be customized in this file
+ #
+ # disable IP forwarding, we don't need it since we are
+ # only an AP that bridges VLANs to Wifi SSIDs
+ net.ipv4.conf.default.forwarding=0
+ net.ipv4.conf.all.forwarding=0
+ net.ipv4.ip_forward=0
+ net.ipv6.conf.default.forwarding=0
+ net.ipv6.conf.all.forwarding=0
+
/etc/dropbear/authorized_keys:
content: "{{ ssh_keys_root | join('\n') }}\n"
/etc/htoprc:
file: "{{ global_files_dir }}/common/htoprc"
+ /usr/bin/list-stations:
+ mode: "0755"
+ file: "{{ global_files_dir }}/common/openwrt/list-stations"
+
openwrt_uci:
system:
@@ -51,17 +68,14 @@ openwrt_uci:
enabled: '1'
enable_server: '0'
server:
- - '0.lede.pool.ntp.org'
- - '1.lede.pool.ntp.org'
- - '2.lede.pool.ntp.org'
- - '3.lede.pool.ntp.org'
+ - '192.168.2.254'
dropbear:
- name: dropbear
options:
PasswordAuth: 'off'
RootPasswordAuth: 'off'
- Port: '{{ ansible_port | default(22) }}'
+ Port: '{{ ansible_port }}'
p910nd:
- name: p910nd
@@ -78,7 +92,7 @@ openwrt_uci:
- name: interface 'loopback'
options:
- ifname: lo
+ device: lo
proto: static
ipaddr: 127.0.0.1
netmask: 255.0.0.0
@@ -93,19 +107,24 @@ openwrt_uci:
options:
device: switch0
vlan: 1
- ports: 0 1 2 3 4
+ ports: 1 2 3 4 0t
- - name: interface 'lan'
+ - name: device
options:
- ifname: eth0
- force_link: 1
+ name: br-lan
type: bridge
+ ports:
+ - eth0.1
+
+ - name: interface 'lan'
+ options:
+ device: br-lan
proto: static
ipaddr: 192.168.2.201
netmask: 255.255.255.0
gateway: 192.168.2.254
dns:
- - 192.168.2.254
+ - 192.168.2.254
- name: interface 'wan'
options:
@@ -116,20 +135,21 @@ openwrt_uci:
- name: wifi-device 'radio5g'
options:
type: mac80211
+ band: 5g
+ country: AT
path: "pci0000:00/0000:00:00.0"
- hwmode: 11a
htmode: HT20
- country: AT
txpower: 19
- - name: wifi-device 'radio2g4'
+ - name: wifi-device 'radio2g'
options:
type: mac80211
- path: "platform/ar934x_wmac"
- hwmode: 11g
- htmode: HT20
- channel: 4
+ channel: 5
+ band: 2g
country: AT
+ path: "platform/ahb/18100000.wmac"
+ htmode: HT20
+ cell_density: 0
txpower: 20
- name: wifi-iface wds5g
@@ -138,15 +158,13 @@ openwrt_uci:
network: lan
mode: sta
wds: 1
- disassoc_low_ack: 1
- rsn_preauth: 1
ssid: "chaosWDS"
encryption: 'psk2+ccmp'
key: '{{ vault_wifi_keys.wds_mz }}'
- - name: wifi-iface lan2g4
+ - name: wifi-iface lan2g
options:
- device: radio2g4
+ device: radio2g
network: lan
mode: ap
disassoc_low_ack: 1
diff --git a/inventory/host_vars/mz-router.yml b/inventory/host_vars/mz-router.yml
index f79de2b1..23fd2931 100644
--- a/inventory/host_vars/mz-router.yml
+++ b/inventory/host_vars/mz-router.yml
@@ -1,17 +1,24 @@
---
-openwrt_variant: openwrt
-openwrt_release: 18.06.2
-openwrt_arch: ar71xx
+## TOOD:
+# After router upgrade run this command to generate a new dyndns ssh key
+# $ dropbearkey -t ed25519 -f /etc/dyndns/id_ed25519
+# Then replace the key at the dyndns server (/var/lib/dyndns/.ssh/authorized_keys)
+# after that run the dnydns update script once to accept the ssh host key
+
+openwrt_arch: ath79
openwrt_target: generic
-openwrt_profile: tl-wdr4300-v1
+openwrt_profile: tplink_tl-wdr4300-v1
openwrt_output_image_suffixes:
- - "generic-{{ openwrt_profile }}-squashfs-sysupgrade.bin"
+ - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin"
openwrt_packages_remove:
- ppp
- ppp-mod-pppoe
- firewall
+ - firewall4
+ - wpad-basic-wolfssl
openwrt_packages_add:
+ - hostapd-wolfssl
- haveged
- htop
- ip
@@ -21,8 +28,8 @@ openwrt_packages_add:
- iperf
- mtr
- usbutils
- - kmod-ipt-nat
- - kmod-ipt-conntrack
+ - nftables
+ - kmod-nft-nat
openwrt_mixin:
@@ -32,54 +39,77 @@ openwrt_mixin:
/etc/htoprc:
file: "{{ global_files_dir }}/common/htoprc"
- /etc/rc.d/S22network-fw:
- link: "../init.d/network-fw"
+ /usr/bin/list-stations:
+ mode: "0755"
+ file: "{{ global_files_dir }}/common/openwrt/list-stations"
+
+ /etc/rc.d/S21nftables:
+ link: "../init.d/nftables"
- /etc/rc.d/K91network-fw:
- link: "../init.d/network-fw"
+ /etc/rc.d/K89nftables:
+ link: "../init.d/nftables"
- /etc/init.d/network-fw:
+ /etc/init.d/nftables:
mode: "0755"
content: |
#!/bin/sh /etc/rc.common
- START=22
- STOP=91
+ START=21
+ STOP=89
start() {
- LAN_IP=$(uci get network.lan.ipaddr)
- LAN_MASK=$(uci get network.lan.netmask)
-
- WAN_IF=$(uci get network.wan.ifname)
-
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A INPUT -i br-lan -j ACCEPT
-
- iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT
- iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port | default(22) }} -j ACCEPT
- iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
- iptables -A FORWARD -i br-lan -o "$WAN_IF" -j ACCEPT
- iptables -A FORWARD -i "$WAN_IF" -o br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j MASQUERADE
-
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
+ nft -f /etc/nftables.conf
}
stop() {
- iptables -P INPUT ACCEPT
- iptables -F INPUT
- iptables -P FORWARD ACCEPT
- iptables -F FORWARD
- iptables -t nat -F POSTROUTING
+ nft flush ruleset
+ }
+
+ /etc/nftables.conf:
+ content: |
+ flush ruleset
+
+ define nic_wan = eth0.2
+ define nic_lan = br-lan
+ define prefix_lan = 192.168.2.0/24
+
+ table inet global {
+ ## INPUT
+ chain input_lan {
+ ip saddr $prefix_lan accept
+ }
+
+ chain input_wan {
+ ip protocol icmp accept
+ ip6 nexthdr ipv6-icmp accept
+ tcp dport { {{ ansible_port }} } accept
+ }
+
+ chain input {
+ type filter hook input priority filter; policy drop;
+ ct state vmap { established: accept, related: accept, invalid: drop }
+ iifname vmap { lo: accept, $nic_lan: jump input_lan, $nic_wan: jump input_wan }
+ }
+
+
+ ## FORWARD
+ chain forward {
+ type filter hook forward priority filter; policy drop;
+ ct state vmap { established: accept, related: accept, invalid: drop }
+ iifname $nic_lan ip saddr $prefix_lan oifname $nic_wan accept
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority srcnat; policy accept;
+ ip saddr $prefix_lan oifname $nic_wan masquerade
+ }
}
/etc/dyndns/update.sh:
mode: "0755"
content: |
#!/bin/sh
- /usr/bin/ssh -i /etc/dyndns/id_rsa -p 222 dyndns@dyn.schaaas.at mzl | logger -t dyndns
+ /usr/bin/ssh -i /etc/dyndns/id_ed25519 -p 222 dyndns@dyn.schaaas.at mzl | logger -t dyndns
/etc/crontabs/root:
mode: "0755"
@@ -101,19 +131,19 @@ openwrt_uci:
- name: timeserver 'ntp'
options:
enabled: '1'
- enable_server: '0'
+ enable_server: '1'
server:
- - '0.lede.pool.ntp.org'
- - '1.lede.pool.ntp.org'
- - '2.lede.pool.ntp.org'
- - '3.lede.pool.ntp.org'
+ - '0.at.pool.ntp.org'
+ - '1.at.pool.ntp.org'
+ - '2.at.pool.ntp.org'
+ - '3.at.pool.ntp.org'
dropbear:
- name: dropbear
options:
PasswordAuth: 'off'
RootPasswordAuth: 'off'
- Port: '{{ ansible_port | default(22) }}'
+ Port: '{{ ansible_port }}'
network:
- name: globals 'globals'
@@ -122,7 +152,7 @@ openwrt_uci:
- name: interface 'loopback'
options:
- ifname: lo
+ device: lo
proto: static
ipaddr: 127.0.0.1
netmask: 255.0.0.0
@@ -145,11 +175,16 @@ openwrt_uci:
vlan: 2
ports: 1 0t
- - name: interface 'lan'
+ - name: device
options:
- ifname: eth0.1
- force_link: 1
+ name: br-lan
type: bridge
+ ports:
+ - eth0.1
+
+ - name: interface 'lan'
+ options:
+ device: br-lan
proto: static
ipaddr: 192.168.2.254
netmask: 255.255.255.0
@@ -163,20 +198,23 @@ openwrt_uci:
- name: wifi-device 'radio5g'
options:
type: mac80211
+ channel: 40
+ band: 5g
+ country: AT
path: "pci0000:00/0000:00:00.0"
- hwmode: 11a
htmode: HT20
- country: AT
+ cell_density: 0
txpower: 19
- - name: wifi-device 'radio2g4'
+ - name: wifi-device 'radio2g'
options:
type: mac80211
- path: "platform/ar934x_wmac"
- hwmode: 11g
- htmode: HT20
- channel: 4
+ channel: 11
+ band: 2g
country: AT
+ path: "platform/ahb/18100000.wmac"
+ htmode: HT20
+ cell_density: 0
txpower: 20
- name: wifi-iface wds5g
@@ -202,9 +240,9 @@ openwrt_uci:
encryption: 'psk2+ccmp'
key: '{{ vault_wifi_keys.lan }}'
- - name: wifi-iface lan2g4
+ - name: wifi-iface lan2g
options:
- device: radio2g4
+ device: radio2g
network: lan
mode: ap
disassoc_low_ack: 1