--- network_wan_zone: "{{ network_zones.ccinet }}" network_mgmt_zone: "{{ network_zones.mgmt }}" network_internal_zone_names: - lan - guest - mixer - infoscreens openwrt_network_external: - name: switch_vlan options: device: 'switch0' ## for some reason vlan-id 128 does not work. why?? # vlan: '{{ network_wan_zone.vlan }}' vlan: '1' ports: '2 3 4 6t' - name: interface 'wan' options: ## for some reason vlan-id 128 does not work. why?? # ifname: 'eth0.{{ network_wan_zone.vlan }}' ifname: 'eth0.1' # proto: dhcp proto: static ipaddr: "{{ network_wan_zone.prefix | ipaddr(network_wan_zone.offsets[inventory_hostname]) | ipaddr('address') }}" netmask: "{{ network_wan_zone.prefix | ipaddr('netmask') }}" gateway: "{{ network_wan_zone.gw }}" dns: "{{ network_wan_zone.dns }}" accept_ra: 0 openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" openwrt_network_internal_yaml: | {% for zone_name in network_internal_zone_names %} - name: switch_vlan options: device: 'switch0' vlan: '{{ network_zones[zone_name].vlan }}' ports: '0t 6t' - name: "interface '{{ zone_name }}'" options: ifname: "eth0.{{ network_zones[zone_name].vlan }}" proto: static ipaddr: "{{ network_zones[zone_name].gw }}" netmask: "{{ network_zones[zone_name].prefix | ipaddr('netmask') }}" accept_ra: 0 {% endfor %} openwrt_network_base: - name: globals 'globals' options: ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - name: interface 'loopback' options: ifname: lo proto: static ipaddr: 127.0.0.1 netmask: 255.0.0.0 - name: switch options: name: 'switch0' reset: '1' enable_vlan: '1' - name: switch_vlan options: device: 'switch0' vlan: '{{ network_mgmt_zone.vlan }}' ports: '0t 1 6t' - name: interface 'mgmt' options: ifname: "eth0.{{ network_mgmt_zone.vlan }}" proto: static ipaddr: "{{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ipaddr('address') }}" netmask: "{{ network_mgmt_zone.prefix | ipaddr('netmask') }}" accept_ra: 0 openwrt_dhcp_external: - name: dhcp 'wan' options: interface: 'wan' ignore: '1' openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" openwrt_dhcp_internal_yaml: | {% for zone_name in network_internal_zone_names %} - name: "dhcp '{{ zone_name }}'" options: interface: "{{ zone_name }}" {% if 'dhcp' in network_zones[zone_name] %} start: {{ network_zones[zone_name].dhcp.start }} limit: {{ network_zones[zone_name].dhcp.limit }} leasetime: {{ network_zones[zone_name].dhcp.leasetime | default('12h') }} dhcpv6: 'disabled' ra: 'disabled' {% else %} ignore: '1' {% endif %} {% endfor %} openwrt_dhcp_base: - name: dnsmasq options: domainneeded: '1' boguspriv: '1' filterwin2k: '0' localise_queries: '1' rebind_protection: '1' rebind_localhost: '1' local: '/lan/' domain: 'lan' expandhosts: '1' nonegcache: '0' authoritative: '1' readethers: '1' leasefile: '/tmp/dhcp.leases' resolvfile: '/tmp/resolv.conf.auto' localservice: '1' - name: odhcpd 'odhcpd' options: maindhcp: '0' leasefile: '/tmp/hosts/odhcpd' leasetrigger: '/usr/sbin/odhcpd-update' - name: dhcp 'mgmt' options: interface: 'mgmt' ignore: '1' openwrt_variant: openwrt openwrt_release: 18.06.1 openwrt_arch: ramips openwrt_target: mt7621 openwrt_profile: ubnt-erx openwrt_output_image_suffixes: - "{{ openwrt_profile }}-squashfs-sysupgrade.tar" openwrt_packages_remove: - ppp - ppp-mod-pppoe - firewall - odhcpd-ipv6only openwrt_packages_add: - kmod-ipt-nat - haveged - htop - ip - less - nano - tcpdump-mini - iperf - mtr - qos-scripts - wireguard openwrt_mixin: /etc/dropbear/authorized_keys: content: "{{ ssh_keys_root | join('\n') }}\n" /etc/htoprc: file: "{{ global_files_dir }}/common/htoprc" /etc/rc.d/S22network-fw: link: "../init.d/network-fw" /etc/rc.d/K91network-fw: link: "../init.d/network-fw" /etc/init.d/network-fw: mode: "0755" content: | #!/bin/sh /etc/rc.common START=22 STOP=91 start() { WAN_IF=$(uci get network.wan.ifname) MGMT_IF=$(uci get network.mgmt.ifname) MGMT_IPADDR=$(uci get network.mgmt.ipaddr) MGMT_NETMASK=$(uci get network.mgmt.netmask) iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT ### todo: limit the destination address? iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT iptables -A INPUT -i "$WAN_IF" -p tcp --dport 22000 -j ACCEPT iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT for zone in "{{ network_internal_zone_names | join('" "') }}"; do interface=$(uci get "network.$zone.ifname") ipaddr=$(uci get "network.$zone.ipaddr") netmask=$(uci get "network.$zone.netmask") ### todo: only add this if dhcp is in network_zones[zone] iptables -A INPUT -i "$interface" -p udp --dport 67 --sport 68 -j ACCEPT ### todo: only do this if dhcp is in network_zones[zone] or $ipaddr is in network_zones[zone].dns iptables -A INPUT -i "$interface" -p udp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT iptables -A INPUT -i "$interface" -p tcp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT iptables -A INPUT -i "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE done iptables -P INPUT DROP iptables -P FORWARD DROP } stop() { iptables -P INPUT ACCEPT iptables -F INPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F POSTROUTING } openwrt_uci: system: - name: system options: hostname: '{{ host_name }}' timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' ttylogin: '0' log_size: '64' urandom_seed: '0' - name: timeserver 'ntp' options: enabled: '1' enable_server: '0' server: - '0.lede.pool.ntp.org' - '1.lede.pool.ntp.org' - '2.lede.pool.ntp.org' - '3.lede.pool.ntp.org' - name: gpio_switch 'poe_passthrough' options: name: 'PoE Passthrough' gpio_pin: '0' value: '0' dropbear: - name: dropbear options: PasswordAuth: 'off' RootPasswordAuth: 'off' Port: '22000' dhcp: "{{ openwrt_dhcp_base + openwrt_dhcp_internal + openwrt_dhcp_external }}" network: "{{ openwrt_network_base + openwrt_network_internal + openwrt_network_external }}"