From eba39322eee6fae38f44e80b6255b6535ca504d1 Mon Sep 17 00:00:00 2001 From: Stefan Date: Sun, 5 Mar 2023 17:38:26 +0100 Subject: [PATCH] Added config for vyos routers --- host_vars/router4.yml | 67 +++- roles/vyos-config/tasks/main.yml | 3 + roles/vyos-config/templates/config.j2 | 444 ++++++++++++++++++++++++++ 3 files changed, 511 insertions(+), 3 deletions(-) create mode 100644 roles/vyos-config/tasks/main.yml create mode 100644 roles/vyos-config/templates/config.j2 diff --git a/host_vars/router4.yml b/host_vars/router4.yml index 4697e73..81233a5 100644 --- a/host_vars/router4.yml +++ b/host_vars/router4.yml @@ -1,3 +1,64 @@ -wan_address: 5.9.220.113/29 -local_address: 172.16.7.1/24 -ffrl_address: 185.66.193.107/32 \ No newline at end of file +wan_address: 5.9.220.113 +wan_gateway: 5.9.220.112 +wan_net: /29 +lan_address: 172.16.7.1 +lan_network: 172.16.7.0/24 +ffrl_address: 185.66.193.107 +ffrl_address_v6: 2a03:2260:121:600::0/128 +ffrl_net_v6: 2a03:2260:121:600::/55 + +dhcp_start: 172.16.7.10 +dhcp_end: 172.16.7.200 + +static_dhcp_leases: + vpn01: + mac_address: 36:f3:82:18:9b:03 + ip_address: 172.16.7.2 + + +gre_bb_transfer_net: /31 +gre_bb_transfer_net_v6: /64 +gre_bb_renote_as: 201701 +gre_bb_local_as: 65066 + +gre_ber_a_address: 100.64.6.25 +gre_ber_a_neighbor: 100.64.6.24 +gre_ber_a_address_v6: 2a03:2260:0:30c::2 +gre_ber_a_neighbor_v6: 2a03:2260:0:30c::1 +gre_ber_a_description: gre_ber_a +gre_ber_a_remote: 185.66.195.0 + +gre_ber_b_address: 100.64.6.31 +gre_ber_b_neighbor: 100.64.6.30 +gre_ber_b_address_v6: 2a03:2260:0:30f::2 +gre_ber_b_neighbor_v6: 2a03:2260:0:30f::1 +gre_ber_b_description: gre_b_ber +gre_ber_b_remote: 185.66.195.1 + +gre_a_dus_address: 100.64.6.29 +gre_a_dus_neighbor: 100.64.6.28 +gre_a_dus_address_v6: 2a03:2260:0:30e::2 +gre_a_dus_neighbor_v6: 2a03:2260:0:30e::1 +gre_a_dus_description: gre_a_dus +gre_a_dus_remote: 185.66.193.0 + +gre_b_dus_address: 100.64.6.35 +gre_b_dus_neighbor: 100.64.6.34 +gre_b_dus_address_v6: 2a03:2260:0:311::2 +gre_b_dus_neighbor_v6: 2a03:2260:0:311::1 +gre_b_dus_description: gre_b_dus +gre_b_dus_remote: 185.66.193.1 + +gre_a_fra_address: 100.64.6.27 +gre_a_fra_neighbor: 100.64.6.26 +gre_a_fra_address_v6: 2a03:2260:0:30d::2 +gre_a_fra_neighbor_v6: 2a03:2260:0:30d::1 +gre_a_fra_description: gre_a_fra +gre_a_fra_remote: 185.66.194.0 + +gre_b_fra_address: 100.64.6.33 +gre_b_fra_neighbor: 100.64.6.32 +gre_b_fra_address_v6: 2a03:2260:0:310::2 +gre_b_fra_neighbor_v6: 2a03:2260:0:310::1 +gre_b_fra_description: gre_b_fra +gre_b_fra_remote: 185.66.194.1 \ No newline at end of file diff --git a/roles/vyos-config/tasks/main.yml b/roles/vyos-config/tasks/main.yml new file mode 100644 index 0000000..bc907fa --- /dev/null +++ b/roles/vyos-config/tasks/main.yml @@ -0,0 +1,3 @@ +- name: render a Jinja2 template onto the VyOS router + vyos.vyos.vyos_config: + src: config.j2 \ No newline at end of file diff --git a/roles/vyos-config/templates/config.j2 b/roles/vyos-config/templates/config.j2 new file mode 100644 index 0000000..6b9f54e --- /dev/null +++ b/roles/vyos-config/templates/config.j2 @@ -0,0 +1,444 @@ +interfaces { + ethernet eth0 { + address {{ wan_address }} + description WAN + } + ethernet eth1 { + address {{ lan_address }}/24 + description "Freifunk WAN" + ipv6 { + address { + autoconf + } + } + } + loopback lo { + address {{ ffrl_address }}/32 + address {{ ffrl_address_v6 }} + } + tunnel tun0 { + address {{ gre_ber_a_address }}{{gre_bb_transfer_net}} + address {{ gre_ber_a_address_v6 }}{{ gre_bb_transfer_net_v6 }} + description {{ gre_ber_a_description }} + encapsulation gre + remote {{ gre_ber_a_remote }} + source-address {{ wan_address }} + } + tunnel tun1 { + address {{ gre_ber_b_address }}{{gre_bb_transfer_net}} + address {{ gre_ber_b_address_v6 }}{{ gre_bb_transfer_net_v6 }} + description {{ gre_ber_b_description }} + encapsulation gre + remote {{ gre_ber_b_remote }} + source-address {{ wan_address }} + } + tunnel tun2 { + address {{ gre_a_dus_address }}{{gre_bb_transfer_net}} + address {{ gre_a_dus_address_v6 }}{{ gre_bb_transfer_net_v6 }} + description {{ gre_a_dus_description }} + encapsulation gre + remote {{ gre_a_dus_remote }} + source-address {{ wan_address }} + } + tunnel tun3 { + address {{ gre_b_dus_address }}{{gre_bb_transfer_net}} + address {{ gre_b_dus_address_v6 }}{{ gre_bb_transfer_net_v6 }} + description {{ gre_b_dus_description }} + encapsulation gre + remote {{ gre_b_dus_remote }} + source-address {{ wan_address }} + } + tunnel tun4 { + address {{ gre_a_fra_address }}{{gre_bb_transfer_net}} + address {{ gre_a_fra_address_v6 }}{{ gre_bb_transfer_net_v6 }} + description {{ gre_a_fra_description }} + encapsulation gre + remote {{ gre_a_fra_remote }} + source-address {{ wan_address }} + } + tunnel tun5 { + address {{ gre_b_fra_address }}{{gre_bb_transfer_net}} + address {{ gre_b_fra_address_v6 }}{{ gre_bb_transfer_net_v6 }} + description {{ gre_b_fra_description }} + encapsulation gre + remote {{ gre_b_fra_remote }} + source-address {{ wan_address }} + } +} +nat { + source { + rule 1 { + outbound-interface any + source { + address {{ lan_network }} + } + translation { + address {{ ffrl_address }} + } + } + } +} +policy { + local-route { + rule 10 { + set { + table 42 + } + source {{ wan_address }} + } + } + prefix-list FFRL-IN { + rule 10 { + action permit + prefix 0.0.0.0/0 + } + } + prefix-list FFRL-OUT { + rule 10 { + action permit + prefix {{ ffrl_address }} + } + } + prefix-list6 FFRL-IN-6 { + rule 10 { + action permit + prefix ::/0 + } + } + prefix-list6 FFRL-OUT-6 { + rule 10 { + action permit + prefix {{ ffrl_net_v6 }} + } + } + route-map FFRL-IN { + rule 10 { + action permit + match { + ip { + address { + prefix-list FFRL-IN + } + } + } + } + } + route-map FFRL-OUT { + rule 10 { + action permit + match { + ip { + address { + prefix-list FFRL-OUT + } + } + } + } + } + route-map FFRL-IN-6 { + rule 10 { + action permit + match { + ipv6 { + address { + prefix-list FFRL-IN-6 + } + } + } + } + } + route-map FFRL-OUT-6 { + rule 10 { + action permit + match { + ipv6 { + address { + prefix-list FFRL-OUT-6 + } + } + } + } + } +} +protocols { + bgp { + address-family { + ipv4-unicast { + network {{ ffrl_address }} { + } + } + ipv6-unicast { + network {{ ffrl_net_v6 }} { + } + } + } + neighbor {{ gre_ber_a_neighbor }} { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description {{ gre_ber_a_description }} + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_ber_a_address }} + } + neighbor {{ gre_ber_b_neighbor }} { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description {{ gre_ber_b_description }} + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_ber_b_address }} + } + neighbor {{ gre_a_dus_neighbor }} { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description {{ gre_a_dus_description }} + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_a_dus_address }} + } + neighbor {{ gre_b_dus_neighbor }} { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description {{ gre_b_dus_description }} + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_b_dus_address }} + } + neighbor {{ gre_a_fra_neighbor }} { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description {{ gre_a_fra_description }} + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_a_fra_address }} + } + neighbor {{ gre_b_fra_neighbor }} { + address-family { + ipv4-unicast { + route-map { + export FFRL-OUT + import FFRL-IN + } + } + } + description {{ gre_b_fra_description }} + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_b_fra_address }} + } + neighbor {{ gre_ber_a_neighbor_v6 }} { + address-family { + ipv6-unicast { + route-map { + export FFRL-OUT-6 + import FFRL-IN-6 + } + } + } + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_ber_a_address_v6 }} + } + neighbor {{ gre_ber_b_neighbor_v6 }} { + address-family { + ipv6-unicast { + route-map { + export FFRL-OUT-6 + import FFRL-IN-6 + } + } + } + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_ber_b_address_v6 }} + } + neighbor {{ gre_a_dus_neighbor_v6 }} { + address-family { + ipv6-unicast { + route-map { + export FFRL-OUT-6 + import FFRL-IN-6 + } + } + } + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_a_dus_address_v6 }} + } + neighbor {{ gre_b_dus_neighbor_v6 }} { + address-family { + ipv6-unicast { + route-map { + export FFRL-OUT-6 + import FFRL-IN-6 + } + } + } + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_b_dus_address_v6 }} + } + neighbor {{ gre_a_fra_neighbor_v6 }} { + address-family { + ipv6-unicast { + route-map { + export FFRL-OUT-6 + import FFRL-IN-6 + } + } + } + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_a_fra_address_v6 }} + } + neighbor {{ gre_b_fra_neighbor_v6 }} { + address-family { + ipv6-unicast { + route-map { + export FFRL-OUT-6 + import FFRL-IN-6 + } + } + } + remote-as {{ gre_bb_renote_as }} + update-source {{ gre_b_fra_address_v6 }} + } + parameters { + router-id {{ wan_address }} + } + system-as {{ gre_bb_local_as }} + } + static { + table 42 { + route 0.0.0.0/0 { + next-hop {{ wan_gateway }} { + } + } + } + } +} +service { + dhcp-server { + listen-address {{ lan_address }} + shared-network-name freifunk { + subnet {{ lan_network }} { + default-router {{ lan_address }} + name-server 1.1.1.1 + name-server 1.0.0.1 + range dhcp { + start {{ dhcp_start }} + stop {{ dhcp_end }} + } + {% if static_dhcp_leases is defined %} + {% for lease in static_dhcp_leases.keys() %} + static-mapping {{ lease }} { + ip-address {{ static_dhcp_leases[lease].ip_address }} + mac-address {{ static_dhcp_leases[lease].mac_address }} + } + {% endfor %} + {% endif %} + } + } + } + ntp { + allow-client { + address 0.0.0.0/0 + address ::/0 + } + server time1.vyos.net { + } + server time2.vyos.net { + } + server time3.vyos.net { + } + } + router-advert { + interface eth1 { + default-lifetime 300 + default-preference high + hop-limit 64 + interval { + max 30 + } + link-mtu 1500 + name-server 2606:4700:4700::1111 + prefix {{ ffrl_net_v6 }} { + preferred-lifetime 300 + valid-lifetime 900 + } + reachable-time 90000 + retrans-timer 0 + } + } + ssh { + port 22 + } +} +system { + config-management { + commit-revisions 100 + } + conntrack { + modules { + ftp + h323 + nfs + pptp + sip + sqlnet + tftp + } + } + console { + device ttyS0 { + speed 115200 + } + } + host-name {{ inventory_hostname }} + login { + banner { + post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n" + } + user vyos { + authentication { + public-keys nils { + key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ== + type ssh-rsa + } + public-keys stefan { + key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB + type ssh-rsa + } + } + } + } + syslog { + global { + facility all { + level info + } + facility protocols { + level debug + } + } + } +} \ No newline at end of file