Added config for Edge Router
This commit is contained in:
parent
c01a906cbc
commit
14c7dbf743
121
edge1.md
Normal file
121
edge1.md
Normal file
@ -0,0 +1,121 @@
|
|||||||
|
## Install Wireguard
|
||||||
|
cd /tmp
|
||||||
|
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
|
||||||
|
####
|
||||||
|
cd /config/auth
|
||||||
|
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
|
||||||
|
cat wg.public
|
||||||
|
cat wg.key
|
||||||
|
####
|
||||||
|
|
||||||
|
set firewall all-ping enable
|
||||||
|
set firewall broadcast-ping disable
|
||||||
|
set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
|
||||||
|
set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '2a03:2260:121:603::/64'
|
||||||
|
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
|
||||||
|
set firewall group network-group LAN-VPN network 10.1.0.0/16
|
||||||
|
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
|
||||||
|
set firewall ipv6-receive-redirects disable
|
||||||
|
set firewall ipv6-src-route disable
|
||||||
|
set firewall ip-src-route disable
|
||||||
|
set firewall log-martians enable
|
||||||
|
set firewall modify LAN_to_VPN rule 100 action modify
|
||||||
|
set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
|
||||||
|
set firewall modify LAN_to_VPN rule 100 modify table 2
|
||||||
|
set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
|
||||||
|
set firewall name WAN_LOCAL default-action drop
|
||||||
|
set firewall name WAN_LOCAL rule 20 action accept
|
||||||
|
set firewall name WAN_LOCAL rule 20 description WireGuard
|
||||||
|
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||||
|
set firewall name WAN_LOCAL rule 20 protocol udp
|
||||||
|
set firewall options mss-clamp interface-type all
|
||||||
|
set firewall options mss-clamp mss 1350
|
||||||
|
set firewall options mss-clamp6 interface-type all
|
||||||
|
set firewall options mss-clamp6 mss 1350
|
||||||
|
set firewall receive-redirects disable
|
||||||
|
set firewall send-redirects enable
|
||||||
|
set firewall source-validation disable
|
||||||
|
set firewall syn-cookies enable
|
||||||
|
set interfaces ethernet eth0 address dhcp
|
||||||
|
set interfaces ethernet eth0 description 'Internet via DHCP'
|
||||||
|
set interfaces ethernet eth0 duplex auto
|
||||||
|
set interfaces ethernet eth0 speed auto
|
||||||
|
set interfaces ethernet eth1 description Local
|
||||||
|
set interfaces ethernet eth1 duplex auto
|
||||||
|
set interfaces ethernet eth1 speed auto
|
||||||
|
set interfaces ethernet eth2 description Local
|
||||||
|
set interfaces ethernet eth2 duplex auto
|
||||||
|
set interfaces ethernet eth2 speed auto
|
||||||
|
set interfaces ethernet eth3 description Local
|
||||||
|
set interfaces ethernet eth3 duplex auto
|
||||||
|
set interfaces ethernet eth3 speed auto
|
||||||
|
set interfaces ethernet eth4 description Local
|
||||||
|
set interfaces ethernet eth4 duplex auto
|
||||||
|
set interfaces ethernet eth4 poe output off
|
||||||
|
set interfaces ethernet eth4 speed auto
|
||||||
|
set interfaces loopback lo
|
||||||
|
set interfaces switch switch0 address 10.1.0.1/24
|
||||||
|
set interfaces switch switch0 address '2a03:2260:121:603::1/64'
|
||||||
|
set interfaces switch switch0 description Local
|
||||||
|
set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
|
||||||
|
set interfaces switch switch0 firewall in modify LAN_to_VPN
|
||||||
|
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
|
||||||
|
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
|
||||||
|
set interfaces switch switch0 ipv6 router-advert link-mtu 0
|
||||||
|
set interfaces switch switch0 ipv6 router-advert managed-flag true
|
||||||
|
set interfaces switch switch0 ipv6 router-advert max-interval 600
|
||||||
|
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
|
||||||
|
set interfaces switch switch0 ipv6 router-advert other-config-flag false
|
||||||
|
set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' autonomous-flag true
|
||||||
|
set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' on-link-flag true
|
||||||
|
set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' valid-lifetime 2592000
|
||||||
|
set interfaces switch switch0 ipv6 router-advert reachable-time 0
|
||||||
|
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
|
||||||
|
set interfaces switch switch0 ipv6 router-advert send-advert true
|
||||||
|
set interfaces switch switch0 mtu 1500
|
||||||
|
set interfaces switch switch0 switch-port interface eth1
|
||||||
|
set interfaces switch switch0 switch-port interface eth2
|
||||||
|
set interfaces switch switch0 switch-port interface eth3
|
||||||
|
set interfaces switch switch0 switch-port interface eth4
|
||||||
|
set interfaces switch switch0 switch-port vlan-aware disable
|
||||||
|
set interfaces wireguard wg0 address 10.255.1.2/24
|
||||||
|
set interfaces wireguard wg0 listen-port 51822
|
||||||
|
set interfaces wireguard wg0 mtu 1384
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0'
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001'
|
||||||
|
set interfaces wireguard wg0 private-key /config/auth/wg.key
|
||||||
|
set interfaces wireguard wg0 route-allowed-ips false
|
||||||
|
set protocols static interface-route6 '::/0' next-hop-interface wg0
|
||||||
|
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
||||||
|
set protocols static table 2 route6 '::0/0' next-hop '2a03:2260:121:602::2'
|
||||||
|
set protocols static table 2 route6 '::/0' next-hop '2a03:2260:121:602::2'
|
||||||
|
set service dhcp-server disabled false
|
||||||
|
set service dhcp-server hostfile-update disable
|
||||||
|
set service dhcp-server shared-network-name LAN authoritative enable
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 default-router 10.1.0.1/24
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 dns-server 10.1.0.1/24
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 lease 86400
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 start 10.1.0.38 stop 10.1.0.243
|
||||||
|
set service dhcp-server static-arp disable
|
||||||
|
set service dhcp-server use-dnsmasq disable
|
||||||
|
set service dns forwarding cache-size 150
|
||||||
|
set service dns forwarding listen-on switch0
|
||||||
|
set service gui http-port 80
|
||||||
|
set service gui https-port 443
|
||||||
|
set service gui older-ciphers enable
|
||||||
|
set service nat rule 5010 description 'masquerade for VPN'
|
||||||
|
set service nat rule 5010 outbound-interface wg0
|
||||||
|
set service nat rule 5010 protocol all
|
||||||
|
set service nat rule 5010 type masquerade
|
||||||
|
set service ssh port 22
|
||||||
|
set service ssh protocol-version v2
|
||||||
|
set service unms
|
||||||
|
set system host-name edge1
|
||||||
|
set system time-zone UTC
|
121
edgerouter_configs/edge1.md
Executable file
121
edgerouter_configs/edge1.md
Executable file
@ -0,0 +1,121 @@
|
|||||||
|
## Install Wireguard
|
||||||
|
cd /tmp
|
||||||
|
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
|
||||||
|
####
|
||||||
|
cd /config/auth
|
||||||
|
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
|
||||||
|
cat wg.public
|
||||||
|
cat wg.key
|
||||||
|
####
|
||||||
|
|
||||||
|
set firewall all-ping enable
|
||||||
|
set firewall broadcast-ping disable
|
||||||
|
set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
|
||||||
|
set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '2a03:2260:121:603::/64'
|
||||||
|
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
|
||||||
|
set firewall group network-group LAN-VPN network 10.1.0.0/16
|
||||||
|
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
|
||||||
|
set firewall ipv6-receive-redirects disable
|
||||||
|
set firewall ipv6-src-route disable
|
||||||
|
set firewall ip-src-route disable
|
||||||
|
set firewall log-martians enable
|
||||||
|
set firewall modify LAN_to_VPN rule 100 action modify
|
||||||
|
set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
|
||||||
|
set firewall modify LAN_to_VPN rule 100 modify table 2
|
||||||
|
set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
|
||||||
|
set firewall name WAN_LOCAL default-action drop
|
||||||
|
set firewall name WAN_LOCAL rule 20 action accept
|
||||||
|
set firewall name WAN_LOCAL rule 20 description WireGuard
|
||||||
|
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||||
|
set firewall name WAN_LOCAL rule 20 protocol udp
|
||||||
|
set firewall options mss-clamp interface-type all
|
||||||
|
set firewall options mss-clamp mss 1350
|
||||||
|
set firewall options mss-clamp6 interface-type all
|
||||||
|
set firewall options mss-clamp6 mss 1350
|
||||||
|
set firewall receive-redirects disable
|
||||||
|
set firewall send-redirects enable
|
||||||
|
set firewall source-validation disable
|
||||||
|
set firewall syn-cookies enable
|
||||||
|
set interfaces ethernet eth0 address dhcp
|
||||||
|
set interfaces ethernet eth0 description 'Internet via DHCP'
|
||||||
|
set interfaces ethernet eth0 duplex auto
|
||||||
|
set interfaces ethernet eth0 speed auto
|
||||||
|
set interfaces ethernet eth1 description Local
|
||||||
|
set interfaces ethernet eth1 duplex auto
|
||||||
|
set interfaces ethernet eth1 speed auto
|
||||||
|
set interfaces ethernet eth2 description Local
|
||||||
|
set interfaces ethernet eth2 duplex auto
|
||||||
|
set interfaces ethernet eth2 speed auto
|
||||||
|
set interfaces ethernet eth3 description Local
|
||||||
|
set interfaces ethernet eth3 duplex auto
|
||||||
|
set interfaces ethernet eth3 speed auto
|
||||||
|
set interfaces ethernet eth4 description Local
|
||||||
|
set interfaces ethernet eth4 duplex auto
|
||||||
|
set interfaces ethernet eth4 poe output off
|
||||||
|
set interfaces ethernet eth4 speed auto
|
||||||
|
set interfaces loopback lo
|
||||||
|
set interfaces switch switch0 address 10.1.0.1/24
|
||||||
|
set interfaces switch switch0 address '2a03:2260:121:603::1/64'
|
||||||
|
set interfaces switch switch0 description Local
|
||||||
|
set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
|
||||||
|
set interfaces switch switch0 firewall in modify LAN_to_VPN
|
||||||
|
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
|
||||||
|
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
|
||||||
|
set interfaces switch switch0 ipv6 router-advert link-mtu 0
|
||||||
|
set interfaces switch switch0 ipv6 router-advert managed-flag true
|
||||||
|
set interfaces switch switch0 ipv6 router-advert max-interval 600
|
||||||
|
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
|
||||||
|
set interfaces switch switch0 ipv6 router-advert other-config-flag false
|
||||||
|
set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' autonomous-flag true
|
||||||
|
set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' on-link-flag true
|
||||||
|
set interfaces switch switch0 ipv6 router-advert prefix '2a03:2260:121:603::/64' valid-lifetime 2592000
|
||||||
|
set interfaces switch switch0 ipv6 router-advert reachable-time 0
|
||||||
|
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
|
||||||
|
set interfaces switch switch0 ipv6 router-advert send-advert true
|
||||||
|
set interfaces switch switch0 mtu 1500
|
||||||
|
set interfaces switch switch0 switch-port interface eth1
|
||||||
|
set interfaces switch switch0 switch-port interface eth2
|
||||||
|
set interfaces switch switch0 switch-port interface eth3
|
||||||
|
set interfaces switch switch0 switch-port interface eth4
|
||||||
|
set interfaces switch switch0 switch-port vlan-aware disable
|
||||||
|
set interfaces wireguard wg0 address 10.255.1.2/24
|
||||||
|
set interfaces wireguard wg0 listen-port 51822
|
||||||
|
set interfaces wireguard wg0 mtu 1355
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips '::0/0'
|
||||||
|
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 'vpn01.fftdf.de:42001'
|
||||||
|
set interfaces wireguard wg0 private-key /config/auth/wg.key
|
||||||
|
set interfaces wireguard wg0 route-allowed-ips false
|
||||||
|
set protocols static interface-route6 '::/0' next-hop-interface wg0
|
||||||
|
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
|
||||||
|
set protocols static table 2 route6 '::0/0' next-hop '2a03:2260:121:602::2'
|
||||||
|
set protocols static table 2 route6 '::/0' next-hop '2a03:2260:121:602::2'
|
||||||
|
set service dhcp-server disabled false
|
||||||
|
set service dhcp-server hostfile-update disable
|
||||||
|
set service dhcp-server shared-network-name LAN authoritative enable
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 default-router 10.1.0.1/24
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 dns-server 10.1.0.1/24
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 lease 86400
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.1/24 start 10.1.0.38 stop 10.1.0.243
|
||||||
|
set service dhcp-server static-arp disable
|
||||||
|
set service dhcp-server use-dnsmasq disable
|
||||||
|
set service dns forwarding cache-size 150
|
||||||
|
set service dns forwarding listen-on switch0
|
||||||
|
set service gui http-port 80
|
||||||
|
set service gui https-port 443
|
||||||
|
set service gui older-ciphers enable
|
||||||
|
set service nat rule 5010 description 'masquerade for VPN'
|
||||||
|
set service nat rule 5010 outbound-interface wg0
|
||||||
|
set service nat rule 5010 protocol all
|
||||||
|
set service nat rule 5010 type masquerade
|
||||||
|
set service ssh port 22
|
||||||
|
set service ssh protocol-version v2
|
||||||
|
set service unms
|
||||||
|
set system host-name edge1
|
||||||
|
set system time-zone UTC
|
5
er-test.yml
Normal file
5
er-test.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
# ansible-playbook -i hosts.yml er-test.yml
|
||||||
|
- name: System preperation
|
||||||
|
hosts: edge_router
|
||||||
|
roles:
|
||||||
|
- 01-vpn-router-config
|
13
host_vars/edge1.yml
Normal file
13
host_vars/edge1.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
ansible_host: localhost
|
||||||
|
ansible_connection: local
|
||||||
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
|
|
||||||
|
ipv4_network: 10.1.0.0/16
|
||||||
|
ipv4_address: 10.1.0.1/24
|
||||||
|
ipv6_network: 2a03:2260:121:603::/64
|
||||||
|
ipv6_address: 2a03:2260:121:603::1/64
|
||||||
|
wireguard_address: 10.255.1.2/24
|
||||||
|
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
|
||||||
|
wiregurad_v4: 10.255.1.1
|
||||||
|
wireguard_v6: 2a03:2260:121:602::2
|
||||||
|
|
@ -19,10 +19,13 @@ core_router: 172.16.7.1
|
|||||||
ipv6_network: 2a03:2260:121:600::/58
|
ipv6_network: 2a03:2260:121:600::/58
|
||||||
wireguard_address: "10.255.1.1/24, 2a03:2260:121:602::2/64"
|
wireguard_address: "10.255.1.1/24, 2a03:2260:121:602::2/64"
|
||||||
wireguard_port: 42001
|
wireguard_port: 42001
|
||||||
|
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
|
||||||
|
wiregurad_v4: 10.255.1.1
|
||||||
|
wireguard_v6: 2a03:2260:121:602::2
|
||||||
|
|
||||||
wireguard_unmanaged_peers:
|
wireguard_unmanaged_peers:
|
||||||
vpn1-testing:
|
vpn1-testing:
|
||||||
public_key: dEqGBiASx0gY1T/m4chRkeWhF+4XmzmjLKLXXbe+rmg=
|
public_key: eoC9nkNTO+aWn1rkMPGguzeBAwBvK8Ob5N52MGoHEBA=
|
||||||
allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128
|
allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128
|
||||||
persistent_keepalive: 25
|
persistent_keepalive: 25
|
||||||
vpn2-lindenstr-h07:
|
vpn2-lindenstr-h07:
|
||||||
@ -40,4 +43,4 @@ wireguard_unmanaged_peers:
|
|||||||
vpn5-stefan:
|
vpn5-stefan:
|
||||||
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
|
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
|
||||||
allowed_ips: 10.255.1.6/32, 10.5.0.0/16, 2a03:2260:121:601::/64
|
allowed_ips: 10.255.1.6/32, 10.5.0.0/16, 2a03:2260:121:601::/64
|
||||||
persistent_keepalive: 25
|
persistent_keepalive: 25
|
||||||
|
@ -15,4 +15,7 @@ all:
|
|||||||
vpn-offloader:
|
vpn-offloader:
|
||||||
hosts:
|
hosts:
|
||||||
vpn01:
|
vpn01:
|
||||||
|
edge_router:
|
||||||
|
hosts:
|
||||||
|
edge1:
|
||||||
|
|
11
roles/01-vpn-router-config/tasks/main.yml
Normal file
11
roles/01-vpn-router-config/tasks/main.yml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
- name: create config directory
|
||||||
|
file:
|
||||||
|
path: '{{ playbook_dir }}/edgerouter_configs/'
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Generate EdgeOS Config
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: edgerouter.conf.j2
|
||||||
|
dest: '{{ playbook_dir }}/edgerouter_configs/{{ inventory_hostname }}.md'
|
||||||
|
mode: 0755
|
||||||
|
|
121
roles/01-vpn-router-config/templates/edgerouter.conf.j2
Normal file
121
roles/01-vpn-router-config/templates/edgerouter.conf.j2
Normal file
@ -0,0 +1,121 @@
|
|||||||
|
## Install Wireguard
|
||||||
|
cd /tmp
|
||||||
|
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
|
||||||
|
|
||||||
|
####
|
||||||
|
cd /config/auth
|
||||||
|
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
|
||||||
|
cat wg.public
|
||||||
|
cat wg.key
|
||||||
|
####
|
||||||
|
|
||||||
|
set firewall all-ping enable
|
||||||
|
set firewall broadcast-ping disable
|
||||||
|
set firewall group network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
|
||||||
|
set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}'
|
||||||
|
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
|
||||||
|
set firewall group network-group LAN-VPN network {{ ipv4_network }}
|
||||||
|
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
|
||||||
|
set firewall ipv6-modify LAN_to_VPN_V6 rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
|
||||||
|
set firewall ipv6-receive-redirects disable
|
||||||
|
set firewall ipv6-src-route disable
|
||||||
|
set firewall ip-src-route disable
|
||||||
|
set firewall log-martians enable
|
||||||
|
set firewall modify LAN_to_VPN rule 100 action modify
|
||||||
|
set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
|
||||||
|
set firewall modify LAN_to_VPN rule 100 modify table 2
|
||||||
|
set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
|
||||||
|
set firewall name WAN_LOCAL default-action drop
|
||||||
|
set firewall name WAN_LOCAL rule 20 action accept
|
||||||
|
set firewall name WAN_LOCAL rule 20 description WireGuard
|
||||||
|
set firewall name WAN_LOCAL rule 20 destination port 51821
|
||||||
|
set firewall name WAN_LOCAL rule 20 protocol udp
|
||||||
|
set firewall options mss-clamp interface-type all
|
||||||
|
set firewall options mss-clamp mss 1350
|
||||||
|
set firewall options mss-clamp6 interface-type all
|
||||||
|
set firewall options mss-clamp6 mss 1350
|
||||||
|
set firewall receive-redirects disable
|
||||||
|
set firewall send-redirects enable
|
||||||
|
set firewall source-validation disable
|
||||||
|
set firewall syn-cookies enable
|
||||||
|
set interfaces ethernet eth0 address dhcp
|
||||||
|
set interfaces ethernet eth0 description 'Internet via DHCP'
|
||||||
|
set interfaces ethernet eth0 duplex auto
|
||||||
|
set interfaces ethernet eth0 speed auto
|
||||||
|
set interfaces ethernet eth1 description Local
|
||||||
|
set interfaces ethernet eth1 duplex auto
|
||||||
|
set interfaces ethernet eth1 speed auto
|
||||||
|
set interfaces ethernet eth2 description Local
|
||||||
|
set interfaces ethernet eth2 duplex auto
|
||||||
|
set interfaces ethernet eth2 speed auto
|
||||||
|
set interfaces ethernet eth3 description Local
|
||||||
|
set interfaces ethernet eth3 duplex auto
|
||||||
|
set interfaces ethernet eth3 speed auto
|
||||||
|
set interfaces ethernet eth4 description Local
|
||||||
|
set interfaces ethernet eth4 duplex auto
|
||||||
|
set interfaces ethernet eth4 poe output off
|
||||||
|
set interfaces ethernet eth4 speed auto
|
||||||
|
set interfaces loopback lo
|
||||||
|
set interfaces switch switch0 address {{ ipv4_address }}
|
||||||
|
set interfaces switch switch0 address '{{ ipv6_address }}'
|
||||||
|
set interfaces switch switch0 description Local
|
||||||
|
set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
|
||||||
|
set interfaces switch switch0 firewall in modify LAN_to_VPN
|
||||||
|
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
|
||||||
|
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
|
||||||
|
set interfaces switch switch0 ipv6 router-advert link-mtu 0
|
||||||
|
set interfaces switch switch0 ipv6 router-advert managed-flag true
|
||||||
|
set interfaces switch switch0 ipv6 router-advert max-interval 600
|
||||||
|
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
|
||||||
|
set interfaces switch switch0 ipv6 router-advert other-config-flag false
|
||||||
|
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' autonomous-flag true
|
||||||
|
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' on-link-flag true
|
||||||
|
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' valid-lifetime 2592000
|
||||||
|
set interfaces switch switch0 ipv6 router-advert reachable-time 0
|
||||||
|
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
|
||||||
|
set interfaces switch switch0 ipv6 router-advert send-advert true
|
||||||
|
set interfaces switch switch0 mtu 1500
|
||||||
|
set interfaces switch switch0 switch-port interface eth1
|
||||||
|
set interfaces switch switch0 switch-port interface eth2
|
||||||
|
set interfaces switch switch0 switch-port interface eth3
|
||||||
|
set interfaces switch switch0 switch-port interface eth4
|
||||||
|
set interfaces switch switch0 switch-port vlan-aware disable
|
||||||
|
set interfaces wireguard wg0 address {{ wireguard_address }}
|
||||||
|
set interfaces wireguard wg0 listen-port 51822
|
||||||
|
set interfaces wireguard wg0 mtu 1355
|
||||||
|
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
|
||||||
|
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
|
||||||
|
set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
|
||||||
|
set interfaces wireguard wg0 private-key /config/auth/wg.key
|
||||||
|
set interfaces wireguard wg0 route-allowed-ips false
|
||||||
|
set protocols static interface-route6 '::/0' next-hop-interface wg0
|
||||||
|
set protocols static table 2 route 0.0.0.0/0 next-hop {{ wiregurad_v4 }}
|
||||||
|
set protocols static table 2 route6 '::0/0' next-hop '{{ wireguard_v6 }}'
|
||||||
|
set protocols static table 2 route6 '::/0' next-hop '{{ wireguard_v6 }}'
|
||||||
|
set service dhcp-server disabled false
|
||||||
|
set service dhcp-server hostfile-update disable
|
||||||
|
set service dhcp-server shared-network-name LAN authoritative enable
|
||||||
|
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} default-router {{ ipv4_address }}
|
||||||
|
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} dns-server {{ ipv4_address }}
|
||||||
|
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} lease 86400
|
||||||
|
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }} start 10.1.0.38 stop 10.1.0.243
|
||||||
|
set service dhcp-server static-arp disable
|
||||||
|
set service dhcp-server use-dnsmasq disable
|
||||||
|
set service dns forwarding cache-size 150
|
||||||
|
set service dns forwarding listen-on switch0
|
||||||
|
set service gui http-port 80
|
||||||
|
set service gui https-port 443
|
||||||
|
set service gui older-ciphers enable
|
||||||
|
set service nat rule 5010 description 'masquerade for VPN'
|
||||||
|
set service nat rule 5010 outbound-interface wg0
|
||||||
|
set service nat rule 5010 protocol all
|
||||||
|
set service nat rule 5010 type masquerade
|
||||||
|
set service ssh port 22
|
||||||
|
set service ssh protocol-version v2
|
||||||
|
set service unms
|
||||||
|
set system host-name {{ inventory_hostname }}
|
||||||
|
set system time-zone UTC
|
@ -7,6 +7,7 @@
|
|||||||
Address = {{ wireguard_address }}
|
Address = {{ wireguard_address }}
|
||||||
PrivateKey = {{ wireguard_private_key }}
|
PrivateKey = {{ wireguard_private_key }}
|
||||||
ListenPort = {{ wireguard_port }}
|
ListenPort = {{ wireguard_port }}
|
||||||
|
MTU = 1355
|
||||||
|
|
||||||
PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42
|
PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user