From a88ce7b965c1d4c03aac02c1c8be819cff0f9f6e Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 24 Dec 2022 01:58:59 +0100 Subject: mz-(router|ap): upgrade to openwrt 22.03.2 --- files/common/openwrt/list-stations | 14 +++ inventory/group_vars/accesspoints/vars.yml | 16 +-- inventory/host_vars/mz-ap.yml | 72 +++++++++----- inventory/host_vars/mz-router.yml | 152 ++++++++++++++++++----------- 4 files changed, 155 insertions(+), 99 deletions(-) create mode 100644 files/common/openwrt/list-stations diff --git a/files/common/openwrt/list-stations b/files/common/openwrt/list-stations new file mode 100644 index 00000000..6cd21671 --- /dev/null +++ b/files/common/openwrt/list-stations @@ -0,0 +1,14 @@ +#!/bin/sh + +interfaces=$(iw dev | grep "Interface " | cut -d ' ' -f2 | sort) + +for interface in $interfaces; do + bssid=$(iw $interface info | grep "addr " | cut -d ' ' -f2) + essid=$(iw $interface info | grep "ssid " | cut -d ' ' -f2-) + channel=$(iw $interface info | grep "channel " | cut -d ' ' -f2-) + echo "$interface ($bssid, ssid: '$essid', channel: $channel)" + iw $interface station dump | grep "^Station" | awk '{ print(" - "$2) }' + echo "" +done + +exit 0 diff --git a/inventory/group_vars/accesspoints/vars.yml b/inventory/group_vars/accesspoints/vars.yml index 0c5e5c53..1a841e13 100644 --- a/inventory/group_vars/accesspoints/vars.yml +++ b/inventory/group_vars/accesspoints/vars.yml @@ -291,21 +291,7 @@ openwrt_mixin: /usr/bin/list-stations: mode: "0755" - content: | - #!/bin/sh - - interfaces=$(iw dev | grep "Interface " | cut -d ' ' -f2 | sort) - - for interface in $interfaces; do - bssid=$(iw $interface info | grep "addr " | cut -d ' ' -f2) - essid=$(iw $interface info | grep "ssid " | cut -d ' ' -f2-) - channel=$(iw $interface info | grep "channel " | cut -d ' ' -f2-) - echo "$interface ($bssid, ssid: '$essid', channel: $channel)" - iw $interface station dump | grep "^Station" | awk '{ print(" - "$2) }' - echo "" - done - - exit 0 + file: "{{ global_files_dir }}/common/openwrt/list-stations" openwrt_uci_base: diff --git a/inventory/host_vars/mz-ap.yml b/inventory/host_vars/mz-ap.yml index faefd444..974de8a1 100644 --- a/inventory/host_vars/mz-ap.yml +++ b/inventory/host_vars/mz-ap.yml @@ -1,20 +1,21 @@ --- -openwrt_variant: openwrt -openwrt_release: 18.06.2 -openwrt_arch: ar71xx +openwrt_arch: ath79 openwrt_target: generic -openwrt_profile: tl-wdr3500-v1 +openwrt_profile: tplink_tl-wdr3500-v1 openwrt_output_image_suffixes: - - "generic-{{ openwrt_profile }}-squashfs-sysupgrade.bin" + - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin" openwrt_packages_remove: - ppp - ppp-mod-pppoe - dnsmasq - firewall + - firewall4 - odhcpd - odhcpd-ipv6only + - wpad-basic-wolfssl openwrt_packages_add: + - wpad-wolfssl - haveged - htop - ip @@ -29,12 +30,28 @@ openwrt_packages_add: openwrt_mixin: + /etc/sysctl.conf: + content: | + # Defaults are configured in /etc/sysctl.d/* and can be customized in this file + # + # disable IP forwarding, we don't need it since we are + # only an AP that bridges VLANs to Wifi SSIDs + net.ipv4.conf.default.forwarding=0 + net.ipv4.conf.all.forwarding=0 + net.ipv4.ip_forward=0 + net.ipv6.conf.default.forwarding=0 + net.ipv6.conf.all.forwarding=0 + /etc/dropbear/authorized_keys: content: "{{ ssh_keys_root | join('\n') }}\n" /etc/htoprc: file: "{{ global_files_dir }}/common/htoprc" + /usr/bin/list-stations: + mode: "0755" + file: "{{ global_files_dir }}/common/openwrt/list-stations" + openwrt_uci: system: @@ -51,17 +68,14 @@ openwrt_uci: enabled: '1' enable_server: '0' server: - - '0.lede.pool.ntp.org' - - '1.lede.pool.ntp.org' - - '2.lede.pool.ntp.org' - - '3.lede.pool.ntp.org' + - '192.168.2.254' dropbear: - name: dropbear options: PasswordAuth: 'off' RootPasswordAuth: 'off' - Port: '{{ ansible_port | default(22) }}' + Port: '{{ ansible_port }}' p910nd: - name: p910nd @@ -78,7 +92,7 @@ openwrt_uci: - name: interface 'loopback' options: - ifname: lo + device: lo proto: static ipaddr: 127.0.0.1 netmask: 255.0.0.0 @@ -93,19 +107,24 @@ openwrt_uci: options: device: switch0 vlan: 1 - ports: 0 1 2 3 4 + ports: 1 2 3 4 0t - - name: interface 'lan' + - name: device options: - ifname: eth0 - force_link: 1 + name: br-lan type: bridge + ports: + - eth0.1 + + - name: interface 'lan' + options: + device: br-lan proto: static ipaddr: 192.168.2.201 netmask: 255.255.255.0 gateway: 192.168.2.254 dns: - - 192.168.2.254 + - 192.168.2.254 - name: interface 'wan' options: @@ -116,20 +135,21 @@ openwrt_uci: - name: wifi-device 'radio5g' options: type: mac80211 + band: 5g + country: AT path: "pci0000:00/0000:00:00.0" - hwmode: 11a htmode: HT20 - country: AT txpower: 19 - - name: wifi-device 'radio2g4' + - name: wifi-device 'radio2g' options: type: mac80211 - path: "platform/ar934x_wmac" - hwmode: 11g - htmode: HT20 - channel: 4 + channel: 5 + band: 2g country: AT + path: "platform/ahb/18100000.wmac" + htmode: HT20 + cell_density: 0 txpower: 20 - name: wifi-iface wds5g @@ -138,15 +158,13 @@ openwrt_uci: network: lan mode: sta wds: 1 - disassoc_low_ack: 1 - rsn_preauth: 1 ssid: "chaosWDS" encryption: 'psk2+ccmp' key: '{{ vault_wifi_keys.wds_mz }}' - - name: wifi-iface lan2g4 + - name: wifi-iface lan2g options: - device: radio2g4 + device: radio2g network: lan mode: ap disassoc_low_ack: 1 diff --git a/inventory/host_vars/mz-router.yml b/inventory/host_vars/mz-router.yml index f79de2b1..23fd2931 100644 --- a/inventory/host_vars/mz-router.yml +++ b/inventory/host_vars/mz-router.yml @@ -1,17 +1,24 @@ --- -openwrt_variant: openwrt -openwrt_release: 18.06.2 -openwrt_arch: ar71xx +## TOOD: +# After router upgrade run this command to generate a new dyndns ssh key +# $ dropbearkey -t ed25519 -f /etc/dyndns/id_ed25519 +# Then replace the key at the dyndns server (/var/lib/dyndns/.ssh/authorized_keys) +# after that run the dnydns update script once to accept the ssh host key + +openwrt_arch: ath79 openwrt_target: generic -openwrt_profile: tl-wdr4300-v1 +openwrt_profile: tplink_tl-wdr4300-v1 openwrt_output_image_suffixes: - - "generic-{{ openwrt_profile }}-squashfs-sysupgrade.bin" + - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin" openwrt_packages_remove: - ppp - ppp-mod-pppoe - firewall + - firewall4 + - wpad-basic-wolfssl openwrt_packages_add: + - hostapd-wolfssl - haveged - htop - ip @@ -21,8 +28,8 @@ openwrt_packages_add: - iperf - mtr - usbutils - - kmod-ipt-nat - - kmod-ipt-conntrack + - nftables + - kmod-nft-nat openwrt_mixin: @@ -32,54 +39,77 @@ openwrt_mixin: /etc/htoprc: file: "{{ global_files_dir }}/common/htoprc" - /etc/rc.d/S22network-fw: - link: "../init.d/network-fw" + /usr/bin/list-stations: + mode: "0755" + file: "{{ global_files_dir }}/common/openwrt/list-stations" + + /etc/rc.d/S21nftables: + link: "../init.d/nftables" - /etc/rc.d/K91network-fw: - link: "../init.d/network-fw" + /etc/rc.d/K89nftables: + link: "../init.d/nftables" - /etc/init.d/network-fw: + /etc/init.d/nftables: mode: "0755" content: | #!/bin/sh /etc/rc.common - START=22 - STOP=91 + START=21 + STOP=89 start() { - LAN_IP=$(uci get network.lan.ipaddr) - LAN_MASK=$(uci get network.lan.netmask) - - WAN_IF=$(uci get network.wan.ifname) - - iptables -A INPUT -i lo -j ACCEPT - iptables -A INPUT -i br-lan -j ACCEPT - - iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT - iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port | default(22) }} -j ACCEPT - iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - iptables -A FORWARD -i br-lan -o "$WAN_IF" -j ACCEPT - iptables -A FORWARD -i "$WAN_IF" -o br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j MASQUERADE - - iptables -P INPUT DROP - iptables -P FORWARD DROP + nft -f /etc/nftables.conf } stop() { - iptables -P INPUT ACCEPT - iptables -F INPUT - iptables -P FORWARD ACCEPT - iptables -F FORWARD - iptables -t nat -F POSTROUTING + nft flush ruleset + } + + /etc/nftables.conf: + content: | + flush ruleset + + define nic_wan = eth0.2 + define nic_lan = br-lan + define prefix_lan = 192.168.2.0/24 + + table inet global { + ## INPUT + chain input_lan { + ip saddr $prefix_lan accept + } + + chain input_wan { + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + tcp dport { {{ ansible_port }} } accept + } + + chain input { + type filter hook input priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname vmap { lo: accept, $nic_lan: jump input_lan, $nic_wan: jump input_wan } + } + + + ## FORWARD + chain forward { + type filter hook forward priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname $nic_lan ip saddr $prefix_lan oifname $nic_wan accept + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + ip saddr $prefix_lan oifname $nic_wan masquerade + } } /etc/dyndns/update.sh: mode: "0755" content: | #!/bin/sh - /usr/bin/ssh -i /etc/dyndns/id_rsa -p 222 dyndns@dyn.schaaas.at mzl | logger -t dyndns + /usr/bin/ssh -i /etc/dyndns/id_ed25519 -p 222 dyndns@dyn.schaaas.at mzl | logger -t dyndns /etc/crontabs/root: mode: "0755" @@ -101,19 +131,19 @@ openwrt_uci: - name: timeserver 'ntp' options: enabled: '1' - enable_server: '0' + enable_server: '1' server: - - '0.lede.pool.ntp.org' - - '1.lede.pool.ntp.org' - - '2.lede.pool.ntp.org' - - '3.lede.pool.ntp.org' + - '0.at.pool.ntp.org' + - '1.at.pool.ntp.org' + - '2.at.pool.ntp.org' + - '3.at.pool.ntp.org' dropbear: - name: dropbear options: PasswordAuth: 'off' RootPasswordAuth: 'off' - Port: '{{ ansible_port | default(22) }}' + Port: '{{ ansible_port }}' network: - name: globals 'globals' @@ -122,7 +152,7 @@ openwrt_uci: - name: interface 'loopback' options: - ifname: lo + device: lo proto: static ipaddr: 127.0.0.1 netmask: 255.0.0.0 @@ -145,11 +175,16 @@ openwrt_uci: vlan: 2 ports: 1 0t - - name: interface 'lan' + - name: device options: - ifname: eth0.1 - force_link: 1 + name: br-lan type: bridge + ports: + - eth0.1 + + - name: interface 'lan' + options: + device: br-lan proto: static ipaddr: 192.168.2.254 netmask: 255.255.255.0 @@ -163,20 +198,23 @@ openwrt_uci: - name: wifi-device 'radio5g' options: type: mac80211 + channel: 40 + band: 5g + country: AT path: "pci0000:00/0000:00:00.0" - hwmode: 11a htmode: HT20 - country: AT + cell_density: 0 txpower: 19 - - name: wifi-device 'radio2g4' + - name: wifi-device 'radio2g' options: type: mac80211 - path: "platform/ar934x_wmac" - hwmode: 11g - htmode: HT20 - channel: 4 + channel: 11 + band: 2g country: AT + path: "platform/ahb/18100000.wmac" + htmode: HT20 + cell_density: 0 txpower: 20 - name: wifi-iface wds5g @@ -202,9 +240,9 @@ openwrt_uci: encryption: 'psk2+ccmp' key: '{{ vault_wifi_keys.lan }}' - - name: wifi-iface lan2g4 + - name: wifi-iface lan2g options: - device: radio2g4 + device: radio2g network: lan mode: ap disassoc_low_ack: 1 -- cgit v1.2.3