From 8b3620f4e036764fc6c72e27bae820c6f6a51c22 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 16 Apr 2023 01:30:14 +0200
Subject: c@h: add network zone for c3voc

---
 inventory/host_vars/ch-router.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'inventory/host_vars/ch-router.yml')

diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index d4b6b8ea..a5bac5f3 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -165,6 +165,7 @@ openwrt_mixin:
       define prefix_remote = 192.168.51.0/24
       define prefix_svc = {{ network_zones.svc.prefix }}
       define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} }
+      define prefixes_natonly = { {{ network_zones.c3voc.prefix }} }
       define ip_prometheus_legacy = {{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}
 
       table inet global {
@@ -212,6 +213,7 @@ openwrt_mixin:
           type filter hook forward priority filter; policy drop;
           ct state vmap { established: accept, related: accept, invalid: drop }
           iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept
+          iif $nic_internal ip saddr $prefixes_natonly oif $nic_magenta accept
           iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept
           iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept
           iif $nic_internal ip saddr { $prefix_svc, $ip_prometheus_legacy } oifname $nic_remote ip daddr $prefix_remote accept
@@ -231,6 +233,7 @@ openwrt_mixin:
         chain postrouting {
           type nat hook postrouting priority srcnat; policy accept;
           ip saddr $prefixes_internal oif $nic_magenta snat to $ip_magenta
+          ip saddr $prefixes_natonly oif $nic_magenta snat to $ip_magenta
         }
       }
 
@@ -354,6 +357,13 @@ openwrt_uci:
         netmask: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('netmask') }}"
         gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
 
+    - name: route 'c3voc'
+      options:
+        interface: svc
+        target: "{{ network_zones.c3voc.prefix | ansible.utils.ipaddr('network') }}"
+        netmask: "{{ network_zones.c3voc.prefix | ansible.utils.ipaddr('netmask') }}"
+        gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-c3voc']) | ansible.utils.ipaddr('address') }}"
+
     - name: interface 'remote'
       options:
         proto: wireguard
-- 
cgit v1.2.3