diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-04-16 01:30:14 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-04-16 01:30:14 +0200 |
| commit | 8b3620f4e036764fc6c72e27bae820c6f6a51c22 (patch) | |
| tree | 428103ec69303bd2b65422ce4f53317571cd1242 /inventory/host_vars/ch-router.yml | |
| parent | cpu-micrcode for debain bookworm+ (diff) | |
c@h: add network zone for c3voc
Diffstat (limited to 'inventory/host_vars/ch-router.yml')
| -rw-r--r-- | inventory/host_vars/ch-router.yml | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index d4b6b8ea..a5bac5f3 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -165,6 +165,7 @@ openwrt_mixin: define prefix_remote = 192.168.51.0/24 define prefix_svc = {{ network_zones.svc.prefix }} define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} } + define prefixes_natonly = { {{ network_zones.c3voc.prefix }} } define ip_prometheus_legacy = {{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }} table inet global { @@ -212,6 +213,7 @@ openwrt_mixin: type filter hook forward priority filter; policy drop; ct state vmap { established: accept, related: accept, invalid: drop } iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept + iif $nic_internal ip saddr $prefixes_natonly oif $nic_magenta accept iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept iif $nic_internal ip saddr { $prefix_svc, $ip_prometheus_legacy } oifname $nic_remote ip daddr $prefix_remote accept @@ -231,6 +233,7 @@ openwrt_mixin: chain postrouting { type nat hook postrouting priority srcnat; policy accept; ip saddr $prefixes_internal oif $nic_magenta snat to $ip_magenta + ip saddr $prefixes_natonly oif $nic_magenta snat to $ip_magenta } } @@ -354,6 +357,13 @@ openwrt_uci: netmask: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('netmask') }}" gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}" + - name: route 'c3voc' + options: + interface: svc + target: "{{ network_zones.c3voc.prefix | ansible.utils.ipaddr('network') }}" + netmask: "{{ network_zones.c3voc.prefix | ansible.utils.ipaddr('netmask') }}" + gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-c3voc']) | ansible.utils.ipaddr('address') }}" + - name: interface 'remote' options: proto: wireguard |