From 7f0bd28bbbf490d54679fa66985b6e81dde7f147 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Fri, 28 Feb 2020 18:06:22 +0100
Subject: elevate: basic router setup

---
 inventory/host_vars/ele-router.yml | 80 +++++++++++++++++++++++++++++++-------
 1 file changed, 65 insertions(+), 15 deletions(-)

(limited to 'inventory/host_vars')

diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index ed21ff36..4a552d7f 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -1,5 +1,4 @@
 ---
-network_wan_zone: "{{ network_zones.ccinet }}"
 network_mgmt_zone: "{{ network_zones.mgmt }}"
 network_internal_zone_names:
   - lan
@@ -12,24 +11,65 @@ openwrt_network_external:
   - name: switch_vlan
     options:
       device: 'switch0'
-      ## for some reason vlan-id 128 does not work. why??
-      # vlan: '{{ network_wan_zone.vlan }}'
+      ## for some reason vlan-id 502 does not work. why??
+      vlan: '{{ network_zones.forum_a1.vlan }}'
       vlan: '1'
-      ports: '2 3 4 6t'
+      ports: '4 6t'
 
-  - name: interface 'wan'
+  - name: interface 'wanforum'
     options:
-      ## for some reason vlan-id 128 does not work. why??
-      # ifname: 'eth0.{{ network_wan_zone.vlan }}'
+      ## for some reason vlan-id 502 does not work. why??
+      #ifname: 'eth0.{{ network_zones.forum_a1.vlan }}'
       ifname: 'eth0.1'
-#      proto: dhcp
+      proto: dhcp
+      defaultroute: '0' ## see static route 'forumdefault' below
+      accept_ra: 0
+
+  - name: rule
+    options:
+      priority: 40000
+      lookup: 101
+
+  - name: route 'forumdefault'
+    options:
+      interface: 'wanforum'
+      table: 101
+      target: '0.0.0.0/0'
+      gateway: 192.168.0.254 ## A1 router @ForumStadtpark uses this address
+
+
+  - name: switch_vlan
+    options:
+      device: 'switch0'
+      ## for some reason vlan-id 502 does not work. why??
+      #vlan: '{{ network_zones.funkfeuer.vlan }}'
+      vlan: '2'
+      ports: '3 6t'
+
+  - name: interface 'wanff'
+    options:
+      ## for some reason vlan-id 502 does not work. why??
+      #fname: 'eth0.{{ network_zones.funkfeuer.vlan }}'
+      ifname: 'eth0.2'
       proto: static
-      ipaddr: "{{ network_wan_zone.prefix | ipaddr(network_wan_zone.offsets[inventory_hostname]) | ipaddr('address') }}"
-      netmask: "{{ network_wan_zone.prefix | ipaddr('netmask') }}"
-      gateway: "{{ network_wan_zone.gateway }}"
-      dns: "{{ network_wan_zone.dns }}"
+      ipaddr: "{{ network_zones.funkfeuer.prefix | ipaddr(network_zones.funkfeuer.offsets[inventory_hostname]) | ipaddr('address') }}"
+      netmask: "{{ network_zones.funkfeuer.prefix | ipaddr('netmask') }}"
       accept_ra: 0
 
+  - name: rule
+    options:
+      priority: 39000
+      src: "{{ network_zones.funkfeuer.prefix | ipaddr(network_zones.funkfeuer.offsets[inventory_hostname]) | ipaddr('address') }}/32"
+      lookup: 102
+
+  - name: route 'ffdefault'
+    options:
+      interface: 'wanff'
+      table: 102
+      target: '0.0.0.0/0'
+      gateway: "{{ network_zones.funkfeuer.gateway }}"
+
+
 openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}"
 openwrt_network_internal_yaml: |
   {% for zone_name in network_internal_zone_names %}
@@ -82,9 +122,14 @@ openwrt_network_base:
 
 
 openwrt_dhcp_external:
-  - name: dhcp 'wan'
+  - name: dhcp 'wanforum'
     options:
-      interface: 'wan'
+      interface: 'wanforum'
+      ignore: '1'
+
+  - name: dhcp 'wanff'
+    options:
+      interface: 'wanff'
       ignore: '1'
 
 openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}"
@@ -185,7 +230,8 @@ openwrt_mixin:
       STOP=91
 
       start() {
-        WAN_IF=$(uci get network.wan.ifname)
+        WAN_IF=$(uci get network.wanforum.ifname)
+        FF_IF=$(uci get network.wanff.ifname)
         MGMT_IF=$(uci get network.mgmt.ifname)
         MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
         MGMT_NETMASK=$(uci get network.mgmt.netmask)
@@ -199,6 +245,10 @@ openwrt_mixin:
         iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT
         iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
+        iptables -A INPUT -i "$FF_IF" -p icmp -j ACCEPT
+        iptables -A INPUT -i "$FF_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT
+        iptables -A INPUT -i "$FF_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
         for zone in "{{ network_internal_zone_names | join('" "') }}"; do
           interface=$(uci get "network.$zone.ifname")
           ipaddr=$(uci get "network.$zone.ipaddr")
-- 
cgit v1.2.3