Finished playbook, known issues noted. Will be optimized further to b…

…e more resilient to updates etc.
metal-stack · Oct 10, 2024 · 4c25e40 · 4c25e40
1 parent f818109
commit 4c25e40
Show file tree

Hide file tree

Showing 3 changed files with 233 additions and 64 deletions.
diff --git a/partition/roles/mgmt-firewall/README.md b/partition/roles/mgmt-firewall/README.md
@@ -4,3 +4,9 @@ This Ansible Playbook is meant to setup the Mgmtsrv firewalls automatically.
 Enabling to change values inside the host_vars/router.yaml file to quickly adjust ip ranges etc.
 
 The basic setup of the config is always the same so this can be used for every firewall.
+
+## Known limitations:
+
+1. Editing bridge interface to off doesnt work off lan.
+2. Firewall zones arent working in LAN and WAN interfaces need to adjust manually.
+3. There needs to be an inital login to change the root password to the one given in the routers.yaml
diff --git a/partition/roles/mgmt-firewall/host_vars/router.yaml b/partition/roles/mgmt-firewall/host_vars/router.yaml
@@ -1,15 +1,90 @@
+# host_vars/router1.yaml
 lan_interfaces:
   - name: mgmtsrv
     ipaddr: 10.9.253.17
     device: eth0.3
+    firewall_network: 2
+    dhcp_options:
+      - { option: '3', value: '10.9.253.17' }
+      - { option: '6', value: '1.1.1.1,1.0.1.1' }
+
   - name: usersrv
     ipaddr: 10.9.253.18
     device: eth0.4
+    firewall_network: 2
+    dhcp_options:
+      - { option: '3', value: '10.9.253.18' }
+      - { option: '6', value: '8.8.8.8,8.8.4.4' }
+
   - name: guestsrv
     ipaddr: 10.9.253.19
     device: eth0.5
+    firewall_network: 3
+    dhcp_options:
+      - { option: '3', value: '10.9.253.19' }
+      - { option: '6', value: '9.9.9.9,149.112.112.112' }
+
+port_forwards:
+  - src_dport: '22'
+    dest_ip: '192.168.1.1'
+    dest_port: '22'
+    src: 'wan'
+    name: 'ssh_mgmtsrv'
+    target: 'DNAT'
+    priority: '1'
+    dest: 'lan'
+    reflection: '0'
+    src_ip: ['212.34.66.73', '212.34.83.194']
+    enabled: '1'
+    proto: ['tcp']
+
+  - src_dport: '623'
+    dest_ip: '192.168.1.1'
+    dest_port: '623'
+    src: 'wan'
+    name: 'rmcp_mgmtsrv_ipmi'
+    target: 'DNAT'
+    priority: '2'
+    dest: 'lan'
+    proto: ['tcp', 'udp']
+    src_ip: ['192.168.1.1']
+    src_dip: '212.34.83.203'
+    enabled: '1'
+
+wan_default:
+  ipaddr: '212.34.83.202'
+  netmask: '255.255.255.248'
+  dns: ['1.1.1.1', '2.2.2.2']
+  gateway: '212.34.83.201'
+
+wan_interfaces:
+  - name: wan_mgtm
+    device: eth1
+    metric: '1'
+    area_type: 'wan'
+    ipaddr: '212.34.83.202'
+    netmask: '255.255.255.248'
+    delegate: '1'
+    force_link: '0'
+    dns: ['1.1.1.1', '1.0.0.1']
+    peerdns: '0'
+    proto: 'static'
+    gateway: '212.34.83.201'
+
+  - name: wan_servc
+    device: eth2
+    metric: '2'
+    area_type: 'wan'
+    ipaddr: '212.34.83.203'
+    netmask: '255.255.255.248'
+    delegate: '1'
+    force_link: '0'
+    dns: ['8.8.8.8', '8.8.4.4']
+    peerdns: '0'
+    proto: 'static'
+    gateway: '212.34.83.201'
 
 bgp_general_ip: 10.9.253.17
 bgp_mgmtsrv_ipaddr: 10.9.253.25
-
 location_name: Felbach
+device_name: mgmtfrwl
diff --git a/partition/roles/mgmt-firewall/main.yaml b/partition/roles/mgmt-firewall/main.yaml
@@ -37,27 +37,6 @@
         uci commit bgp
         /etc/init.d/frr restart
 
-    - name: Setup BGP
-      ansible.builtin.raw: |
-        uci set bgp.bgp.enable='1'
-        uci set bgp.bgp.enabled_vty='1'
-        uci set bgp.general.enabled='1'
-        uci add_list bgp.general.redistribute='static' 
-        uci add_list bgp.general.redistribute='connected'
-        uci add_list bgp.general.redistribute='kernel'
-        uci set bgp.general.id={{bgp_general_ip}} 
-        uci set bgp.general.deterministic_med='0'
-        uci set bgp.general.as='4200000101'
-        uci set bgp.general.ebgp_requires_policy='1'
-        uci set bgp.mgmtsrv=bgp_peer
-        uci set bgp.mgmtsrv.instance='general'
-        uci set bgp.mgmtsrv.default_originate='0'
-        uci set bgp.mgmtsrv.ipaddr={{ bgp_mgmtsrv_ipaddr }}
-        uci set bgp.mgmtsrv.as='4200000001'
-        uci set bgp.mgmtsrv.enabled='1'
-        uci commit bgp
-        /etc/init.d/frr restart
-
     - name: Setup dropbear
       ansible.builtin.raw: |
         uci set dropbear.@dropbear[0].PasswordAuth='on'
@@ -87,28 +66,6 @@
         uci commit firewall
         /etc/init.d/firewall restart
 
-    - name: Setup network
-      ansible.builtin.raw: |
-        uci set network.@switch_vlan[0].ports='0t 4'
-        uci set network.@switch_vlan[1].ports='0t 5'
-        uci set network.@switch_vlan[2]=switch_vlan
-        uci set network.@switch_vlan[2].device='switch0'
-        uci set network.@switch_vlan[2].vlan='3'
-        uci set network.@switch_vlan[2].vid='3'
-        uci set network.@switch_vlan[2].ports='0t 1'
-        uci set network.@switch_vlan[3]=switch_vlan
-        uci set network.@switch_vlan[3].device='switch0'
-        uci set network.@switch_vlan[3].vlan='4'
-        uci set network.@switch_vlan[3].vid='4'
-        uci set network.@switch_vlan[3].ports='0t 2'
-        uci set network.@switch_vlan[4]=switch_vlan
-        uci set network.@switch_vlan[4].device='switch0'
-        uci set network.@switch_vlan[4].vlan='5'
-        uci set network.@switch_vlan[4].vid='5'
-        uci set network.@switch_vlan[4].ports='0t 3'
-        uci commit network
-        /etc/init.d/network restart
-
     - name: Get the total number of sms_utils rules
       ansible.builtin.raw: |
         uci show sms_utils | grep -o '@rule\[[0-9]\+\]' | sort -u | wc -l
@@ -134,8 +91,8 @@
     - name: Change location Name
       ansible.builtin.raw: |
         uci set snmpd.@system[0].sysName={{location_name}}  
-        uci set system.system.devicename='mgmtfw01'
-        uci set system.system.hostname='fel-wps-placeholder'
+        uci set system.system.devicename={{device_name}}
+        uci set system.system.hostname={{location_name}} 
         uci set system.system.zoneName='Europe/Berlin'
         uci set system.system.timezone='CET-1CEST,M3.5.0,M10.5.0/3'
         uci commit snmpd
@@ -158,24 +115,155 @@
 
     - name: Create authorized keys file in /etc/dropbear
       ansible.builtin.raw: |
-        echo 'Insert public key here' > ../etc/dropbear/authorized_keys
-
-    - name: Configure new LAN interface
-      ansible.builtin.raw: |
-        ipaddr="{{ item.ipaddr }}"
-        name="{{ item.name }}"
-        device="{{ item.device }}"
-        section_id=$(uci add network interface) 
-        uci set network.${section_id}.proto='static'
-        uci set network.${section_id}.area_type='lan'
-        uci set network.${section_id}.ipaddr="${ipaddr}"
-        uci set network.${section_id}.name="${name}"
-        uci set network.${section_id}.delegate='1'
-        uci set network.${section_id}.force_link='1'
-        uci set network.${section_id}.netmask='255.255.255.252'
+        echo 'INSERT UR PUBLIC KEY HERE' > ../etc/dropbear/authorized_keys
+
+    - name: Adjust Lan Bridge
+      ansible.builtin.raw: |
+        uci delete network.lan.igmp_snooping
+        uci set network.lan.device='eth0'
+        uci set network.lan.delegate='1'
+        uci set network.lan.force_link='1'
+        uci commit network
+        /etc/init.d/network restart
+
+    - name: Configure new LAN interfaces and DHCP settings
+      ansible.builtin.raw: |
+        section_id=$(uci add network interface)
+        uci rename network.$section_id={{ item.name }}
+        uci set network.{{ item.name }}.proto='static'
+        uci set network.{{ item.name }}.ipaddr='{{ item.ipaddr }}'
+        uci set network.{{ item.name }}.netmask='255.255.255.252'
+        uci set network.{{ item.name }}.device='{{ item.device }}'
+        uci set network.{{ item.name }}.delegate='1'
+        uci set network.{{ item.name }}.force_link='1'
+        uci set network.{{ item.name }}.area_type='lan'
+        uci commit network
+        /etc/init.d/network restart
+
+        # Configuring DHCP for the new interface
+        uci set dhcp.{{ item.name }}=dhcp
+        uci set dhcp.{{ item.name }}.leasetime='12h'
+        uci set dhcp.{{ item.name }}.limit='150'
+        uci set dhcp.{{ item.name }}.start='100'
+        uci set dhcp.{{ item.name }}.interface='{{ item.name }}'
+        uci set dhcp.{{ item.name }}.ra='server'
+        uci set dhcp.{{ item.name }}.dhcpv6='server'
+        uci set dhcp.{{ item.name }}.ignore_ipv6='1'
+        uci set dhcp.{{ item.name }}.force='0'
+        {% for option in item.dhcp_options %}
+        uci add_list dhcp.{{ item.name }}.dhcp_option_force="{{ option.option }},{{ option.value }}"
+        {% endfor %}
+        uci commit dhcp
+        /etc/init.d/dnsmasq restart
+      loop: '{{ lan_interfaces }}'
+
+    - name: Update default WAN interface with dynamic values
+      ansible.builtin.raw: |
+        uci set network.wan=interface
+        uci set network.wan.device='eth1'
+        uci set network.wan.metric='1'
+        uci set network.wan.area_type='wan'
+        uci set network.wan.ipaddr='{{ wan_default.ipaddr }}'
+        uci set network.wan.netmask='{{ wan_default.netmask }}'
+        uci set network.wan.delegate='1'
+        uci set network.wan.force_link='0'
+        {% for dns_server in wan_default.dns %}
+        uci add_list network.wan.dns='{{ dns_server }}'
+        {% endfor %}
+        uci set network.wan.peerdns='0'
+        uci set network.wan.proto='static'
+        uci set network.wan.gateway='{{ wan_default.gateway }}'
+
+        uci commit network
+        /etc/init.d/network restart
+
+    - name: Configure WAN interfaces
+      ansible.builtin.raw: |
+        section_id=$(uci add network interface)
+        uci set network.$section_id.device='{{ item.device }}'
+        uci set network.$section_id.metric='{{ item.metric }}'
+        uci set network.$section_id.area_type='{{ item.area_type }}'
+        uci set network.$section_id.ipaddr='{{ item.ipaddr }}'
+        uci set network.$section_id.netmask='{{ item.netmask }}'
+        uci set network.$section_id.delegate='{{ item.delegate }}'
+        uci set network.$section_id.force_link='{{ item.force_link }}'
+        uci set network.$section_id.peerdns='{{ item.peerdns }}'
+        uci set network.$section_id.proto='{{ item.proto }}'
+        uci set network.$section_id.gateway='{{ item.gateway }}'
+        uci set network.$section_id.name='{{ item.name }}'
+        {% for dns_server in item.dns %}
+        uci add_list network.$section_id.dns='{{ dns_server }}'
+        {% endfor %}
+
         uci commit network
         /etc/init.d/network restart
+      loop: '{{ wan_interfaces }}'
+
+    - name: Add WAN interfaces to firewall.3.network
+      ansible.builtin.raw: |
+        current_network=$(uci get firewall.3.network 2>/dev/null || echo "")
+        if [ -z "$current_network" ]; then
+          uci set firewall.3.network="{{ item.name }}"
+        else
+          uci set firewall.3.network="$current_network {{ item.name }}"
+        fi
+        uci commit firewall
+        /etc/init.d/firewall restart
+      loop: '{{ wan_interfaces }}'
+
+    - name: Update firewall configuration based on the interface's firewall_network value
+      ansible.builtin.raw: |
+        uci add_list firewall.{{ item.firewall_network }}.network='{{ item.name }}' 
+        uci commit firewall
+        /etc/init.d/firewall restart
       loop: '{{ lan_interfaces }}'
-      loop_control:
-        index_var: index
-      become: true
+
+    - name: Apply Port-Forwards
+      ansible.builtin.raw: |
+        uci add firewall redirect
+        uci set firewall.@redirect[-1].src_dport='{{ item.src_dport }}'
+        uci set firewall.@redirect[-1].dest_ip='{{ item.dest_ip }}'
+        uci set firewall.@redirect[-1].dest_port='{{ item.dest_port }}'
+        uci set firewall.@redirect[-1].src='{{ item.src }}'
+        uci set firewall.@redirect[-1].name='{{ item.name }}'
+        uci set firewall.@redirect[-1].target='{{ item.target }}'
+        uci set firewall.@redirect[-1].priority='{{ item.priority }}'
+        uci set firewall.@redirect[-1].dest='{{ item.dest }}'
+        uci set firewall.@redirect[-1].enabled='{{ item.enabled }}'
+        {% if item.reflection is defined %}
+        uci set firewall.@redirect[-1].reflection='{{ item.reflection }}'
+        {% endif %}
+        {% if item.src_ip is defined %}
+        uci set firewall.@redirect[-1].src_ip="{{ item.src_ip | join(' ') }}"
+        {% endif %}
+        {% if item.src_dip is defined %}
+        uci set firewall.@redirect[-1].src_dip='{{ item.src_dip }}'
+        {% endif %}
+        {% if item.proto is defined %}
+        uci set firewall.@redirect[-1].proto="{{ item.proto | join(' ') }}"
+        {% endif %}
+        uci commit firewall
+        /etc/init.d/firewall restart
+      loop: '{{ port_forwards }}'
+
+    - name: Setup network
+      ansible.builtin.raw: |
+        uci set network.@switch_vlan[0].ports='0t 4'
+        uci set network.@switch_vlan[1].ports='0t 5'
+        uci add network switch_vlan
+        uci set network.@switch_vlan[-1].device='switch0'
+        uci set network.@switch_vlan[-1].vlan='3'
+        uci set network.@switch_vlan[-1].vid='3'
+        uci set network.@switch_vlan[-1].ports='0t 1'
+        uci add network switch_vlan
+        uci set network.@switch_vlan[-1].device='switch0'
+        uci set network.@switch_vlan[-1].vlan='4'
+        uci set network.@switch_vlan[-1].vid='4'
+        uci set network.@switch_vlan[-1].ports='0t 2'
+        uci add network switch_vlan
+        uci set network.@switch_vlan[-1].device='switch0'
+        uci set network.@switch_vlan[-1].vlan='5'
+        uci set network.@switch_vlan[-1].vid='5'
+        uci set network.@switch_vlan[-1].ports='0t 3'
+        uci commit network
+        /etc/init.d/network restart