From fce5d81274036167695e0fce56eb4c212a1798ec Mon Sep 17 00:00:00 2001 From: Ansible Admin Date: Sat, 9 Jan 2016 19:50:44 +0100 Subject: [PATCH] + bird BGP config + new FFRL exit super nodes + new keepalive for ffrl exit --- files/bird-troisdorf5.conf | 84 +++++++++++++++++++++++++++++++++ files/bird-troisdorf6.conf | 84 +++++++++++++++++++++++++++++++++ files/bird6-troisdorf5.conf | 82 ++++++++++++++++++++++++++++++++ files/bird6-troisdorf6.conf | 82 ++++++++++++++++++++++++++++++++ files/collectd.conf.j2 | 2 +- files/dhcpd.conf.j2 | 7 +-- files/dhcpd6.conf.j2 | 22 +++++++++ files/gre_backbone.sh.j2 | 57 ----------------------- files/interfaces-troisdorf5 | 80 ++++++++++++++++++++++++++++++++ files/interfaces-troisdorf6 | 85 ++++++++++++++++++++++++++++++++++ files/keepalive.sh | 82 +++++++++++++++----------------- files/l2tp_backbone.sh.exit.j2 | 58 +++++++++++++++++++++++ files/l2tp_backbone.sh.j2 | 10 ++-- files/radvd.conf.j2 | 3 +- files/sn_startup.exit.sh.j2 | 68 +++++++++++++++++++++++++++ files/sn_startup.sh.j2 | 46 +++++++++--------- install.sn.yml | 47 ++++++++++++++++--- 17 files changed, 760 insertions(+), 139 deletions(-) create mode 100644 files/bird-troisdorf5.conf create mode 100644 files/bird-troisdorf6.conf create mode 100644 files/bird6-troisdorf5.conf create mode 100644 files/bird6-troisdorf6.conf create mode 100644 files/dhcpd6.conf.j2 delete mode 100644 files/gre_backbone.sh.j2 create mode 100644 files/interfaces-troisdorf5 create mode 100644 files/interfaces-troisdorf6 create mode 100644 files/l2tp_backbone.sh.exit.j2 create mode 100644 files/sn_startup.exit.sh.j2 diff --git a/files/bird-troisdorf5.conf b/files/bird-troisdorf5.conf new file mode 100644 index 0000000..1e8b899 --- /dev/null +++ b/files/bird-troisdorf5.conf @@ -0,0 +1,84 @@ +/* + * This is an example configuration file. + */ + +# Yes, even shell-like comments work... + +# Configure logging +#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug }; +#log stderr all; +#log "tmp" all; +#log syslog all; + +#debug protocols all; + +# Override router ID +router id 10.188.255.5; + + +protocol direct { + interface "*"; +}; + +protocol kernel { + device routes; + import all; + export all; + kernel table 42; +}; + +protocol device { + scan time 8; +}; + +function is_default() { + return (net ~ [0.0.0.0/0]); +}; + +# own network +function is_self_net() { + return (net ~ [ 10.188.0.0/16+ ]); +} + +# freifunk ip ranges in general +function is_freifunk() { + return net ~ [ 10.0.0.0/8+, + 104.0.0.0/8+ + ]; +} + +filter hostroute { + if net ~ 185.66.193.105/32 then accept; + reject; +}; + +# Uplink über ff Rheinland +template bgp uplink { + local as 65066; + import where is_default(); + export filter hostroute; + next hop self; + multihop 64; + default bgp_local_pref 200; +}; + +protocol bgp ffrl_bb_a_ak_ber from uplink { + source address 100.64.2.151; + neighbor 100.64.2.150 as 201701; +}; + +protocol bgp ffrl_bb_b_ak_ber from uplink { + source address 100.64.2.153; + neighbor 100.64.2.152 as 201701; +}; + +protocol bgp ffrl_bb_a_ix_dus from uplink { + source address 100.64.2.155; + neighbor 100.64.2.154 as 201701; +}; + +protocol bgp ffrl_bb_b_ix_dus from uplink { + source address 100.64.2.157; + neighbor 100.64.2.156 as 201701; +}; + diff --git a/files/bird-troisdorf6.conf b/files/bird-troisdorf6.conf new file mode 100644 index 0000000..b2a4b57 --- /dev/null +++ b/files/bird-troisdorf6.conf @@ -0,0 +1,84 @@ +/* + * This is an example configuration file. + */ + +# Yes, even shell-like comments work... + +# Configure logging +#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug }; +#log stderr all; +#log "tmp" all; +#log syslog all; + +#debug protocols all; + +# Override router ID +router id 10.188.255.6; + + +protocol direct { + interface "*"; +}; + +protocol kernel { + device routes; + import all; + export all; + kernel table 42; +}; + +protocol device { + scan time 8; +}; + +function is_default() { + return (net ~ [0.0.0.0/0]); +}; + +# own network +function is_self_net() { + return (net ~ [ 10.188.0.0/16+ ]); +} + +# freifunk ip ranges in general +function is_freifunk() { + return net ~ [ 10.0.0.0/8+, + 104.0.0.0/8+ + ]; +} + +filter hostroute { + if net ~ 185.66.193.106/32 then accept; + reject; +}; + +# Uplink über ff Rheinland +template bgp uplink { + local as 65066; + import where is_default(); + export filter hostroute; + next hop self; + multihop 64; + default bgp_local_pref 200; +}; + +protocol bgp ffrl_bb_a_ak_ber from uplink { + source address 100.64.2.159; + neighbor 100.64.2.158 as 201701; +}; + +protocol bgp ffrl_bb_b_ak_ber from uplink { + source address 100.64.2.161; + neighbor 100.64.2.160 as 201701; +}; + +protocol bgp ffrl_bb_a_ix_dus from uplink { + source address 100.64.2.163; + neighbor 100.64.2.162 as 201701; +}; + +protocol bgp ffrl_bb_b_ix_dus from uplink { + source address 100.64.2.165; + neighbor 100.64.2.164 as 201701; +}; + diff --git a/files/bird6-troisdorf5.conf b/files/bird6-troisdorf5.conf new file mode 100644 index 0000000..37d46b5 --- /dev/null +++ b/files/bird6-troisdorf5.conf @@ -0,0 +1,82 @@ +# Configure logging +#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug }; +#log stderr all; +#log "tmp" all; +#log syslog all; + +#debug protocols all; + +# Override router ID +router id 10.188.255.5; + +protocol direct { +# interface "*"; # Restrict network interfaces it works with +# interface "bat0", "gre-*", "eth*", "lo"; # Restrict network interfaces it works with + interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with + +} + + +protocol kernel { + device routes; + import all; + export all; # Default is export none + kernel table 42; # Kernel table to synchronize with (default: main) +} + +protocol device { + scan time 10; # Scan interfaces every 10 seconds +} + +function is_default() { + return (net ~ [::/0]); +} + +# own networks +function is_self_net() { +return net ~ [ fda0:747e:ab29:7405::/64+ ]; +} + +# freifunk ip ranges in general +function is_freifunk() { +return net ~ [ fc00::/7{48,64}, +2001:bf7::/32+]; +} + +filter hostroute { + if net ~ 2a03:2260:121::/48 then accept; + reject; +} + + + +# Uplink zum FF Rheinland +template bgp uplink { + local as 65066; + import where is_default(); + export filter hostroute; + gateway recursive; +} + + +protocol bgp ffrl_bb_a_ak_ber from uplink { + source address 2a03:2260:0:155::2; + neighbor 2a03:2260:0:155::1 as 201701; +} + +protocol bgp ffrl_bb_b_ak_ber from uplink { + source address 2a03:2260:0:156::2; + neighbor 2a03:2260:0:156::1 as 201701; +} + + +protocol bgp ffrl_bb_a_ix_dus from uplink { + source address 2a03:2260:0:157::2; + neighbor 2a03:2260:0:157::1 as 201701; +} + +protocol bgp ffrl_bb_b_ix_dus from uplink { + source address 2a03:2260:0:158::2; + neighbor 2a03:2260:0:158::1 as 201701; +} + diff --git a/files/bird6-troisdorf6.conf b/files/bird6-troisdorf6.conf new file mode 100644 index 0000000..944c19d --- /dev/null +++ b/files/bird6-troisdorf6.conf @@ -0,0 +1,82 @@ +# Configure logging +#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug }; +#log stderr all; +#log "tmp" all; +#log syslog all; + +#debug protocols all; + +# Override router ID +router id 10.188.255.6; + +protocol direct { +# interface "*"; # Restrict network interfaces it works with +# interface "bat0", "gre-*", "eth*", "lo"; # Restrict network interfaces it works with + interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with + +} + + +protocol kernel { + device routes; + import all; + export all; # Default is export none + kernel table 42; # Kernel table to synchronize with (default: main) +} + +protocol device { + scan time 10; # Scan interfaces every 10 seconds +} + +function is_default() { + return (net ~ [::/0]); +} + +# own networks +function is_self_net() { +return net ~ [ fda0:747e:ab29:7405::/64+ ]; +} + +# freifunk ip ranges in general +function is_freifunk() { +return net ~ [ fc00::/7{48,64}, +2001:bf7::/32+]; +} + +filter hostroute { + if net ~ 2a03:2260:121::/48 then accept; + reject; +} + + + +# Uplink zum FF Rheinland +template bgp uplink { + local as 65066; + import where is_default(); + export filter hostroute; + gateway recursive; +} + + +protocol bgp ffrl_bb_a_ak_ber from uplink { + source address 2a03:2260:0:159::2; + neighbor 2a03:2260:0:159::1 as 201701; +} + +protocol bgp ffrl_bb_b_ak_ber from uplink { + source address 2a03:2260:0:15a::2; + neighbor 2a03:2260:0:15a::1 as 201701; +} + + +protocol bgp ffrl_bb_a_ix_dus from uplink { + source address a03:2260:0:15b::2; + neighbor 2a03:2260:0:15b::1 as 201701; +} + +protocol bgp ffrl_bb_b_ix_dus from uplink { + source address 2a03:2260:0:15c::2; + neighbor 2a03:2260:0:15c::1 as 201701; +} + diff --git a/files/collectd.conf.j2 b/files/collectd.conf.j2 index cda8c26..9d55856 100644 --- a/files/collectd.conf.j2 +++ b/files/collectd.conf.j2 @@ -26,7 +26,7 @@ LoadPlugin processes LoadPlugin users LoadPlugin uptime LoadPlugin interface -LoadPugin filecount +LoadPlugin filecount Instance "tunneldigger-connections" diff --git a/files/dhcpd.conf.j2 b/files/dhcpd.conf.j2 index d23aa06..e226e31 100644 --- a/files/dhcpd.conf.j2 +++ b/files/dhcpd.conf.j2 @@ -1,4 +1,4 @@ -# Version 1.2 +# Version 1.3 ddns-update-style none; option domain-name "fftdf"; default-lease-time 300; @@ -7,8 +7,9 @@ log-facility local7; subnet 10.188.0.0 netmask 255.255.0.0 { authoritative; range {{ sn_dhcp_range }}; -option domain-name-servers {{ sn_mesh_IPv4 }}, {{ sn_dhcp_dns }}; -option routers {{ sn_dhcp_router }}; +option domain-name-servers {{ sn_mesh_IPv4 }}, {{ sn_dhcp_dns_v4 }}; +option routers {{ sn_mesh_IPv4 }}; +option interface-mtu {{ sn_mtu }}; interface bat0; } include "/opt/freifunk/static-dhcp/static.conf"; diff --git a/files/dhcpd6.conf.j2 b/files/dhcpd6.conf.j2 new file mode 100644 index 0000000..e16eb8b --- /dev/null +++ b/files/dhcpd6.conf.j2 @@ -0,0 +1,22 @@ +# Enable RFC 5007 support (same than for DHCPv4) +allow leasequery; + +authoritative; + +default-lease-time 300; +max-lease-time 600; + +#option dhcp6.name-servers {{ sn_mesh_IPv6 }}; +option dhcp6.name-servers {{ sn_mesh_IPv6 }}, {{ sn_dhcp_dns_v6 }}; + +option dhcp6.domain-search "fftdf"; + +subnet6 2a03:2260:121::/64 { +# +# # Range for clients +# range6 2a03:2260:121::201 2a03:2260:121::ffff; +# +# # Range for clients requesting a temporary address +# range6 2a03:2260:121::/64 temporary; +} + diff --git a/files/gre_backbone.sh.j2 b/files/gre_backbone.sh.j2 deleted file mode 100644 index b4af165..0000000 --- a/files/gre_backbone.sh.j2 +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/sh -# Server name ending must be a single digit number -communityname="troisdorf" -server="troisdorf0 {{ sn_hostname }}" -domain="freifunk-troisdorf.de" -mtu={{ sn_mtu }} -# community MAC address, without the last Byte (:)! -communitymacaddress="a2:8c:ae:6f:f6" -# Network part of the network, without the trailing dot -communitynetwork="10.188" -# IPv6 network -communitynetworkv6="fda0:747e:ab29:7405:255::" -# Third octet from the server range -octet3rd="255" -# CIDR muss /16 sein -localserver=$(/bin/hostname) -# files -batadv=/usr/local/sbin/batadv-vis -alfred=/usr/local/sbin/alfred -batctl=/usr/local/sbin/batctl - -for i in $server; do - -( - for j in $server; do - - if [ $i != $j ]; then - if [ $i = $(/bin/hostname) ]; then - /sbin/ip link add $j type gretap local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') remote $(/usr/bin/dig +short $j.$domain) dev eth0 nopmtudisc -# /sbin/ip link add $j type gretap local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') remote $(/usr/bin/dig +short $j.$domain) dev eth0 - /sbin/ip link set dev $j mtu $mtu -# /sbin/ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev $j -# /sbin/ip link set address $communitymacaddress$:0${localserver#$communityname} dev $j - /sbin/ip link set address $communitymacaddress$:${localserver#$communityname}0 dev $j - /sbin/ip link set $j up - $batctl if add $j - fi - fi - - done -) - -done - -# configure bat0 -/sbin/ip link set address $communitymacaddress$:0${localserver#$communityname} dev bat0 -/sbin/ip link set up dev bat0 -/sbin/ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 -/sbin/ip -6 addr add fda0:747e:ab29:7405:255::${localserver#$communityname}/64 dev bat0 - -/usr/bin/killall alfred -/usr/bin/killall batadv-vis -/bin/sleep 5 -$alfred -i bat0 > /dev/null 2>&1 & -/bin/sleep 15 -$batadv -i bat0 -s > /dev/null 2>&1 & -/usr/sbin/service bind9 restart diff --git a/files/interfaces-troisdorf5 b/files/interfaces-troisdorf5 new file mode 100644 index 0000000..858c737 --- /dev/null +++ b/files/interfaces-troisdorf5 @@ -0,0 +1,80 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + up ip address add 185.66.193.105/32 dev lo + +iface lo inet6 loopback + up ip address add 2a03:2260:121::105/48 dev lo + + +# The primary network interface +allow-hotplug eth0 +iface eth0 inet dhcp + +iface eth0 inet6 static + address 2a01:4f8:c17:173b::2 + netmask 64 + gateway fe80::1 + +# GRE Tunnel zum Rheinland Backbone +# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen + +# Berlin Router A +auto gre-bb-a.ak.ber +iface gre-bb-a.ak.ber inet static + address 100.64.2.151 + netmask 255.255.255.254 + pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.195.0 ttl 255 + post-up ip link set $IFACE mtu 1400 + post-down ip tunnel del $IFACE + +iface gre-bb-a.ak.ber inet6 static + address 2a03:2260:0:155::2/64 + netmask 64 + +# Berlin Router B +auto gre-bb-b.ak.ber +iface gre-bb-b.ak.ber inet static + address 100.64.2.153 + netmask 255.255.255.254 + pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.195.1 ttl 255 + post-up ip link set $IFACE mtu 1400 + post-down ip tunnel del $IFACE + +iface gre-bb-b.ak.ber inet6 static + address 2a03:2260:0:156::2/64 + netmask 64 + + +# Duesseldorf Router A +auto gre-bb-a.ix.dus +iface gre-bb-a.ix.dus inet static + address 100.64.2.155 + netmask 255.255.255.254 + pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.193.0 ttl 255 + post-up ip link set $IFACE mtu 1400 + post-down ip tunnel del $IFACE + +iface gre-bb-a.ix.dus inet6 static + address 2a03:2260:0:157::2/64 + netmask 64 + + +# Duesseldorf Router B +auto gre-bb-b.ix.dus +iface gre-bb-b.ix.dus inet static + address 100.64.2.157 + netmask 255.255.255.254 + pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.193.1 ttl 255 + post-up ip link set $IFACE mtu 1400 + post-down ip tunnel del $IFACE + +iface gre-bb-b.ix.dus inet6 static + address 2a03:2260:0:158::2/64 + netmask 64 + diff --git a/files/interfaces-troisdorf6 b/files/interfaces-troisdorf6 new file mode 100644 index 0000000..a423081 --- /dev/null +++ b/files/interfaces-troisdorf6 @@ -0,0 +1,85 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + up ip address add 185.66.193.106/32 dev lo + +iface lo inet6 loopback + up ip address add 2a03:2260:121::106/48 dev lo + + +# The primary network interface +allow-hotplug eth0 +#iface eth0 inet dhcp +iface eth0 inet static + address 46.4.138.189 + netmask 255.255.255.192 + gateway 46.4.138.129 + dns-nameserver 213.133.100.100 213.133.99.99 213.133.98.98 + +iface eth0 inet6 static + address 2a01:4f8:11d:600::189 + netmask 59 + gateway 2a01:4f8:11d:600::1 + +# GRE Tunnel zum Rheinland Backbone +# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen + +# Berlin Router A +auto gre-bb-a.ak.ber +iface gre-bb-a.ak.ber inet static + address 100.64.2.159 + netmask 255.255.255.254 + pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.0 ttl 255 + post-up ip link set $IFACE mtu 1400 + post-down ip tunnel del $IFACE + +iface gre-bb-a.ak.ber inet6 static + address 2a03:2260:0:159::2/64 + netmask 64 + +# Berlin Router B +auto gre-bb-b.ak.ber +iface gre-bb-b.ak.ber inet static + address 100.64.2.161 + netmask 255.255.255.254 + pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.1 ttl 255 + post-up ip link set $IFACE mtu 1400 + post-down ip tunnel del $IFACE + +iface gre-bb-b.ak.ber inet6 static + address 2a03:2260:0:15a::2/64 + netmask 64 + + +# Duesseldorf Router A +auto gre-bb-a.ix.dus +iface gre-bb-a.ix.dus inet static + address 100.64.2.163 + netmask 255.255.255.254 + pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.0 ttl 255 + post-up ip link set $IFACE mtu 1400 + post-down ip tunnel del $IFACE + +iface gre-bb-a.ix.dus inet6 static + address 2a03:2260:0:15b::2/64 + netmask 64 + + +# Duesseldorf Router B +auto gre-bb-b.ix.dus +iface gre-bb-b.ix.dus inet static + address 100.64.2.165 + netmask 255.255.255.254 + pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.1 ttl 255 + post-up ip link set $IFACE mtu 1400 + post-down ip tunnel del $IFACE + +iface gre-bb-b.ix.dus inet6 static + address 2a03:2260:0:15c::2/64 + netmask 64 + diff --git a/files/keepalive.sh b/files/keepalive.sh index c83d734..fa8759f 100644 --- a/files/keepalive.sh +++ b/files/keepalive.sh @@ -1,50 +1,44 @@ #!/bin/bash -INTERFACE=eth0 # Set to name of VPN interface -shopt -s nullglob +# Version 1.4 +# Parameter setzen +GATEWAY1=185.66.193.105 +GATEWAY2=185.66.193.106 +GATEWAY1v6=2a03:2260:121::255:5 +GATEWAY2v6=2a03:2260:121::255:6 +IP=/sbin/ip +PING=/bin/ping +BATCTL=/usr/local/sbin/batctl -# Test whether gateway is connected to the outer world via VPN -ping -q -I $INTERFACE 8.8.8.8 -c 4 -i 1 -W 5 >/dev/null 2>&1 +if [ "hostname = troisdorf1 | troisdorf2" ] + then + DEFAULT_GATEWAY=$GATEWAY1 + FALLBACK_GATEWAY=$GATEWAY2 + DEFAULT_GATEWAYv6=$GATEWAY1v6 + FALLBACK_GATEWAYv6=$GATEWAY2v6 + else + DEFAULT_GATEWAY=$GATEWAY2 + FALLBACK_GATEWAY=$GATEWAY1 + DEFAULT_GATEWAYv6=$GATEWAY2v6 + FALLBACK_GATEWAYv6=$GATEWAY1v6 -if test $? -eq 0; then - NEW_STATE=server -else - NEW_STATE=off fi -# Iterate through network interfaces in sys file system -for MESH in /sys/class/net/*/mesh; do -# Check whether gateway modus needs to be changed -OLD_STATE="$(cat $MESH/gw_mode)" -[ "$OLD_STATE" == "$NEW_STATE" ] && continue - echo $NEW_STATE > $MESH/gw_mode - echo 92MBit/92MBit > $MESH/gw_bandwidth - logger "batman gateway mode changed to $NEW_STATE" - - # Check whether gateway modus has been deactivated - if [ "$NEW_STATE" == "off" ]; then - # Shutdown DHCP server to prevent renewal of leases - /usr/sbin/service isc-dhcp-server stop - fi - - # Check whether gateway modus has been activated - if [ "$NEW_STATE" == "server" ]; then - # Restart DHCP server - /usr/sbin/service isc-dhcp-server start - fi - exit 0 -done - -if [ "$NEW_STATE" == "server" ]; then - /usr/sbin/service isc-dhcp-server status 2>&1> /dev/null - if $? -ne 0 - then - /usr/sbin/service isc-dhcp-server restart - fi -fi -if [ "$NEW_STATE" == "off" ]; then - /usr/sbin/service isc-dhcp-server status 2>&1> /dev/null - if $? -eq 0 - then - /usr/sbin/service isc-dhcp-server stop - fi +if $PING -c 1 $DEFAULT_GATEWAY + then + $IP route replace default via $DEFAULT_GATEWAY table 42 + $IP -6 route replace default via $DEFAULT_GATEWAYv6 table 42 + $BATCTL gw server 100Mbit/100Mbit + echo "Gateway erreichbar" + else + if $PING -c 1 $FALLBACK_GATEWAY + then + $IP route replace default via $FALLBACK_GATEWAY table 42 + $IP -6 route replace default via $FALLBACK_GATEWAYv6 table 42 + $BATCTL gw server 80Mbit/80Mbit + echo "Nun FALLBACK_GATEWAY" + else + $BATCTL gw off + #Kein Gateway erreichbar, batctl gw off + fi fi + diff --git a/files/l2tp_backbone.sh.exit.j2 b/files/l2tp_backbone.sh.exit.j2 new file mode 100644 index 0000000..bd86c0b --- /dev/null +++ b/files/l2tp_backbone.sh.exit.j2 @@ -0,0 +1,58 @@ +#!/bin/sh +# Version 6 +# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!! +communityname="troisdorf" +#server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9" +server="troisdorf7 {{ sn_hostname }}" +domain="freifunk-troisdorf.de" +mtu={{ sn_mtu }} +# community MAC address, without the last Byte (:)! +communitymacaddress="a2:8c:ae:6f:f6" +tunnelPrefix=10 +sessionPrefix=1 +# Netzwerkteil des Netzes, ohne abschliessenden Punkt +communitynetwork="10.188" +# IPv6 network +#communitynetworkv6="fda0:747e:ab29:7405:255::" +communitynetworkv6="2a03:2260:121::" +# Drittes Octet des serverbereichs +octet3rd="255" +# CIDR muss /16 sein +localserver=$(/bin/hostname) +batadv=/usr/local/sbin/batadv-vis +alfred=/usr/local/sbin/alfred +batctl=/usr/local/sbin/batctl +ip=/sbin/ip +dig=/usr/bin/dig + +for i in $server; do +( + for j in $server; do + if [ $i != $j ]; then + if [ $i = $localserver ]; then + ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname} + ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname} + #ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j + ip link set dev l2tp-$j mtu $mtu + ip link set up l2tp-$j + $batctl if add l2tp-$j + fi + fi + done +) +done + +# Rest starten +$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0 +$ip link set up dev bat0 +$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 +$ip -6 addr add $communitynetworkv6$octet3rd:${localserver#$communityname}/64 dev bat0 + +/usr/bin/killall alfred +/usr/bin/killall batadv-vis +/bin/sleep 5 +$alfred -i bat0 > /dev/null 2>&1 & +/bin/sleep 15 +$batadv -i bat0 -s > /dev/null 2>&1 & +/usr/sbin/service bind9 restart +/usr/local/sbin/batctl gw client 3 diff --git a/files/l2tp_backbone.sh.j2 b/files/l2tp_backbone.sh.j2 index d5ec362..483bdd3 100644 --- a/files/l2tp_backbone.sh.j2 +++ b/files/l2tp_backbone.sh.j2 @@ -1,9 +1,9 @@ #!/bin/sh -# Version 5 +# Version 6 # Der servername muss mit einer einstelligen Zahl aufhoeren!!!!! communityname="troisdorf" server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9" -#server="troisdorf0 {{ sn_hostname }}" +#server="troisdorf7 {{ sn_hostname }}" domain="freifunk-troisdorf.de" mtu={{ sn_mtu }} # community MAC address, without the last Byte (:)! @@ -13,7 +13,8 @@ sessionPrefix=1 # Netzwerkteil des Netzes, ohne abschliessenden Punkt communitynetwork="10.188" # IPv6 network -communitynetworkv6="fda0:747e:ab29:7405:255::" +#communitynetworkv6="fda0:747e:ab29:7405:255::" +communitynetworkv6="2a03:2260:121::" # Drittes Octet des serverbereichs octet3rd="255" # CIDR muss /16 sein @@ -46,7 +47,7 @@ $ip link set address $communitymacaddress:0${localserver#$communityname} dev bat #$ip link set address $communitymacaddress:ff dev bat0 $ip link set up dev bat0 $ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 -$ip -6 addr add $communitynetworkv6${localserver#$communityname}/64 dev bat0 +$ip -6 addr add $communitynetworkv6$octet3rd:${localserver#$communityname}/64 dev bat0 /usr/bin/killall alfred /usr/bin/killall batadv-vis @@ -55,3 +56,4 @@ $alfred -i bat0 > /dev/null 2>&1 & /bin/sleep 15 $batadv -i bat0 -s > /dev/null 2>&1 & /usr/sbin/service bind9 restart +/usr/local/sbin/batctl gw server 100Mbit/100Mbit diff --git a/files/radvd.conf.j2 b/files/radvd.conf.j2 index b4c45bd..6951b8e 100644 --- a/files/radvd.conf.j2 +++ b/files/radvd.conf.j2 @@ -3,7 +3,8 @@ interface bat0 { IgnoreIfMissing on; MaxRtrAdvInterval 200; RDNSS {{ sn_mesh_IPv6 }} {}; - prefix fda0:747e:ab29:7405::/64 { +# prefix fda0:747e:ab29:7405::/64 { + prefix 2a03:2260:121::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; diff --git a/files/sn_startup.exit.sh.j2 b/files/sn_startup.exit.sh.j2 new file mode 100644 index 0000000..b8c11fd --- /dev/null +++ b/files/sn_startup.exit.sh.j2 @@ -0,0 +1,68 @@ +#!/bin/sh + +curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} + +# Block RFC1918 and APIPA destination via WAN +/sbin/iptables -P OUTPUT ACCEPT +for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do +/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP +done + +# Activate IP forwarding +/sbin/sysctl -w net.ipv6.conf.all.forwarding=1 +/sbin/sysctl -w net.ipv4.ip_forward=1 + +# restart when kernel panic +/sbin/sysctl kernel.panic=1 + +# Routing table 42 +/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables + +# Set table for traffice with mark 4 +/bin/ip rule add fwmark 0x4 table 42 +/bin/ip -6 rule add fwmark 0x4 table 42 + +# Set mark 4 to Freifunk traffic +/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 +#/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4 +/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4 + +# NAT on eth0 +/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +# NAT on GRE Freifunk interface +#/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source 185.66.193.105 +/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source {{ sn_ffrl_IPv4 }} + +# MTU +/sbin/iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312 +/sbin/ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312 + +# All from FF IPv4 via routing table 42 +/bin/ip rule add from {{ sn_ffrl_IPv4 }}/32 lookup 42 +/bin/ip -6 rule add from 2a03:2260:121::/64 lookup 42 + +# Allow MAC address spoofing +/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0 + +sleep 5 + +# stop tunneldigger +/bin/systemctl disable tunneldigger +/bin/systemctl stop tunneldigger + +# restart bird +/bin/systemctl start bird +/bin/systemctl start bird6 +/bin/systemctl enable bird +/bin/systemctl enable bird6 + +# stop radvd +/bin/systemctl disable radvd +/bin/systemctl stop radvd + +# restart DHCP +/bin/systemctl disable isc-dhcp-server +/bin/systemctl stop isc-dhcp-server + +exit 0 diff --git a/files/sn_startup.sh.j2 b/files/sn_startup.sh.j2 index 8fbf7e7..dd4550d 100644 --- a/files/sn_startup.sh.j2 +++ b/files/sn_startup.sh.j2 @@ -2,17 +2,6 @@ curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} -# Stop tunneldigger until bat0 is up -/usr/sbin/service tunneldigger stop - -# Set unreachable for table 200 -#/bin/ip route add unreachable 0.0.0.0/0 table iffy - -#while ! ping -c 1 -W 1 {{ sn_iffy_traffic }}; do -# echo "Waiting for {{ sn_iffy_traffic }} - network interface might be down..." -# sleep 5 -#done - # Block RFC1918 and APIPA destination via WAN /sbin/iptables -P OUTPUT ACCEPT for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do @@ -22,36 +11,47 @@ done # Activate IP forwarding /sbin/sysctl -w net.ipv6.conf.all.forwarding=1 /sbin/sysctl -w net.ipv4.ip_forward=1 + +# restart when kernel panic /sbin/sysctl kernel.panic=1 -# Routing table 200 for traffic above port 1023 -#/bin/grep 200 /etc/iproute2/rt_tables || /bin/echo 200 iffy >> /etc/iproute2/rt_tables +# Stop tunneldigger until bat0 is up +/usr/sbin/service tunneldigger stop + +# Routing table 42 +/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables # Set table for traffice with mark 4 -#/bin/ip rule add fwmark 0x4 table iffy +/bin/ip rule add fwmark 0x4 table 42 +/bin/ip -6 rule add fwmark 0x4 table 42 -# Set mark 4 to traffic above port 1023 -#/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 1024:65535 -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 -#/sbin/iptables -t mangle -A PREROUTING -p udp --dport 1024:65535 -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 +# Set mark 4 to Freifunk traffic +/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 +/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4 +/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4 # NAT on eth0 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +# All from FF IPv4 via routing table 42 +/bin/ip rule add from 185.66.193.104/30 lookup 42 +/bin/ip -6 rule add from 2a03:2260:121::/64 lookup 42 + # Allow MAC address spoofing /sbin/sysctl net.ipv4.conf.bat0.rp_filter=0 -# Set gateway for table 200 -#/bin/ip route replace default via {{ sn_iffy_traffic }} table iffy - sleep 5 # Start tunneldigger -/usr/sbin/service tunneldigger restart +/bin/systemctl restart tunneldigger +/bin/systemctl enable tunneldigger # radvd restart -/usr/sbin/service radvd restart +/bin/systemctl restart radvd +/bin/systemctl enable radvd # restart DHCP -/usr/sbin/service isc-dhcp-server restart +/bin/systemctl restart isc-dhcp-server +/bin/systemctl enable isc-dhcp-server exit 0 diff --git a/install.sn.yml b/install.sn.yml index 77c0d15..f60dd3e 100644 --- a/install.sn.yml +++ b/install.sn.yml @@ -9,7 +9,7 @@ user: root gather_facts: False vars: - snversion: master_v1.9.3 + snversion: master_v2.0 batmanversion: v2015.2 common_required_packages: - git @@ -62,6 +62,8 @@ - authorized_keys logrotate_config: - logrotate.conf + tunneld_stats_file: + - collectd_td_stat.sh tasks: @@ -95,12 +97,12 @@ poll: 0 ignore_errors: true when: sethostname.changed - - name: waiting for server to come back + - name: waiting for server to come back (1st) local_action: wait_for host={{ inventory_hostname }} port=22 - delay=15 + delay=20 timeout=300 when: hosts.changed when: sethostname.changed @@ -194,13 +196,24 @@ copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500 with_items: check_gw_script register: check_gw + when: sn_exit is undefined - name: Add cron job with check gateway script cron: name=check_gw job="/opt/freifunk/keepalive.sh > /dev/null 2>&1" user="root" when: check_gw.changed + + - name: Tunneldigger stats + copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500 + with_items: tunneld_stats_file + register: tunneld_stats + when: sn_exit is undefined + - name: Add cron job tunneldigger stats + cron: name=tunneld_stats job="/opt/freifunk/collectd_td_stat.sh > /dev/null 2>&1" user="root" + when: tunneld_stats.changed + + - name: Copy dhcpd template file template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444 register: dhcpd - - name: Clone static DHCP config git: repo=https://github.com/Freifunk-Troisdorf/static-dhcp dest=/opt/freifunk/static-dhcp @@ -208,7 +221,6 @@ - name: Add cron static DHCP cron: name=StaticDHCP minute="*" job="/opt/freifunk/static-dhcp/dhcp-update.sh" when: dhcpd.changed - - name: Restart dhcpd service: name=isc-dhcp-server state=restarted when: dhcpd.changed @@ -217,8 +229,14 @@ cron: name=backbone special_time=reboot job="/opt/freifunk/l2tp_backbone.sh" - name: Add cron startup script cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh" + - name: Copy backbone script template: src=./files/l2tp_backbone.sh.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544 + when: sn_exit is undefined + - name: Copy backbone script + template: src=./files/l2tp_backbone.sh.exit.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544 + when: sn_exit is defined + - name: Collectd template file template: src=./files/collectd.conf.j2 dest=/etc/collectd/collectd.conf owner=root group=root mode=0444 register: collectd @@ -227,6 +245,7 @@ when: collectd.changed - name: configure startup script template: src=./files/sn_startup.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500 + when: sn_exit is undefined - name: SSH authorized_keys copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400 with_items: authorized_keys @@ -243,6 +262,22 @@ template: src=./files/alfred.sh.j2 dest=/opt/freifunk/alfred.sh owner=root group=root mode=0544 - name: Add cron job with alfred info script cron: name=alfred_info job="/opt/freifunk/alfred.sh > /dev/null 2>&1" user="root" + - name: Interface configuration with ffrl gre tunnel + copy: src=./files/interfaces-{{ sn_hostname }} dest=/etc/network/interfaces owner=root group=root mode=0544 + when: sn_exit is defined + - name: Exit node startup script + template: src=./files/sn_startup.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500 + when: sn_exit is defined + - apt: update_cache=yes + - name: Install bird + apt: state=installed pkg=bird + when: sn_exit is defined + - name: Bird configuration + copy: src=./files/bird-{{ sn_hostname }}.conf dest=/etc/bird/bird.conf owner=bird group=bird mode=0444 + when: sn_exit is defined + - name: Bird configuration + copy: src=./files/bird6-{{ sn_hostname }}.conf dest=/etc/bird/bird6.conf owner=bird group=bird mode=0444 + when: sn_exit is defined - name: Reboot the server finally shell: sleep 2 && shutdown -r now "Ansible updates triggered" async: 1 @@ -256,7 +291,7 @@ wait_for host={{ inventory_hostname }} port=22 - delay=15 + delay=20 timeout=300 when: tunneldigger.changed - name: Send notification message via Slack