diff --git a/partition/roles/mgmt-firewall/README.md b/partition/roles/mgmt-firewall/README.md index 9b8d6559..fee5fe0a 100644 --- a/partition/roles/mgmt-firewall/README.md +++ b/partition/roles/mgmt-firewall/README.md @@ -4,3 +4,9 @@ This Ansible Playbook is meant to setup the Mgmtsrv firewalls automatically. Enabling to change values inside the host_vars/router.yaml file to quickly adjust ip ranges etc. The basic setup of the config is always the same so this can be used for every firewall. + +## Known limitations: + +1. Editing bridge interface to off doesnt work off lan. +2. Firewall zones arent working in LAN and WAN interfaces need to adjust manually. +3. There needs to be an inital login to change the root password to the one given in the routers.yaml diff --git a/partition/roles/mgmt-firewall/host_vars/router.yaml b/partition/roles/mgmt-firewall/host_vars/router.yaml index 7bbf86ec..522769c8 100644 --- a/partition/roles/mgmt-firewall/host_vars/router.yaml +++ b/partition/roles/mgmt-firewall/host_vars/router.yaml @@ -1,15 +1,90 @@ +# host_vars/router1.yaml lan_interfaces: - name: mgmtsrv ipaddr: 10.9.253.17 device: eth0.3 + firewall_network: 2 + dhcp_options: + - { option: '3', value: '10.9.253.17' } + - { option: '6', value: '1.1.1.1,1.0.1.1' } + - name: usersrv ipaddr: 10.9.253.18 device: eth0.4 + firewall_network: 2 + dhcp_options: + - { option: '3', value: '10.9.253.18' } + - { option: '6', value: '8.8.8.8,8.8.4.4' } + - name: guestsrv ipaddr: 10.9.253.19 device: eth0.5 + firewall_network: 3 + dhcp_options: + - { option: '3', value: '10.9.253.19' } + - { option: '6', value: '9.9.9.9,149.112.112.112' } + +port_forwards: + - src_dport: '22' + dest_ip: '192.168.1.1' + dest_port: '22' + src: 'wan' + name: 'ssh_mgmtsrv' + target: 'DNAT' + priority: '1' + dest: 'lan' + reflection: '0' + src_ip: ['212.34.66.73', '212.34.83.194'] + enabled: '1' + proto: ['tcp'] + + - src_dport: '623' + dest_ip: '192.168.1.1' + dest_port: '623' + src: 'wan' + name: 'rmcp_mgmtsrv_ipmi' + target: 'DNAT' + priority: '2' + dest: 'lan' + proto: ['tcp', 'udp'] + src_ip: ['192.168.1.1'] + src_dip: '212.34.83.203' + enabled: '1' + +wan_default: + ipaddr: '212.34.83.202' + netmask: '255.255.255.248' + dns: ['1.1.1.1', '2.2.2.2'] + gateway: '212.34.83.201' + +wan_interfaces: + - name: wan_mgtm + device: eth1 + metric: '1' + area_type: 'wan' + ipaddr: '212.34.83.202' + netmask: '255.255.255.248' + delegate: '1' + force_link: '0' + dns: ['1.1.1.1', '1.0.0.1'] + peerdns: '0' + proto: 'static' + gateway: '212.34.83.201' + + - name: wan_servc + device: eth2 + metric: '2' + area_type: 'wan' + ipaddr: '212.34.83.203' + netmask: '255.255.255.248' + delegate: '1' + force_link: '0' + dns: ['8.8.8.8', '8.8.4.4'] + peerdns: '0' + proto: 'static' + gateway: '212.34.83.201' bgp_general_ip: 10.9.253.17 bgp_mgmtsrv_ipaddr: 10.9.253.25 - location_name: Felbach +device_name: mgmtfrwl diff --git a/partition/roles/mgmt-firewall/main.yaml b/partition/roles/mgmt-firewall/main.yaml index b2ef829d..f2afafde 100644 --- a/partition/roles/mgmt-firewall/main.yaml +++ b/partition/roles/mgmt-firewall/main.yaml @@ -37,27 +37,6 @@ uci commit bgp /etc/init.d/frr restart - - name: Setup BGP - ansible.builtin.raw: | - uci set bgp.bgp.enable='1' - uci set bgp.bgp.enabled_vty='1' - uci set bgp.general.enabled='1' - uci add_list bgp.general.redistribute='static' - uci add_list bgp.general.redistribute='connected' - uci add_list bgp.general.redistribute='kernel' - uci set bgp.general.id={{bgp_general_ip}} - uci set bgp.general.deterministic_med='0' - uci set bgp.general.as='4200000101' - uci set bgp.general.ebgp_requires_policy='1' - uci set bgp.mgmtsrv=bgp_peer - uci set bgp.mgmtsrv.instance='general' - uci set bgp.mgmtsrv.default_originate='0' - uci set bgp.mgmtsrv.ipaddr={{ bgp_mgmtsrv_ipaddr }} - uci set bgp.mgmtsrv.as='4200000001' - uci set bgp.mgmtsrv.enabled='1' - uci commit bgp - /etc/init.d/frr restart - - name: Setup dropbear ansible.builtin.raw: | uci set dropbear.@dropbear[0].PasswordAuth='on' @@ -87,28 +66,6 @@ uci commit firewall /etc/init.d/firewall restart - - name: Setup network - ansible.builtin.raw: | - uci set network.@switch_vlan[0].ports='0t 4' - uci set network.@switch_vlan[1].ports='0t 5' - uci set network.@switch_vlan[2]=switch_vlan - uci set network.@switch_vlan[2].device='switch0' - uci set network.@switch_vlan[2].vlan='3' - uci set network.@switch_vlan[2].vid='3' - uci set network.@switch_vlan[2].ports='0t 1' - uci set network.@switch_vlan[3]=switch_vlan - uci set network.@switch_vlan[3].device='switch0' - uci set network.@switch_vlan[3].vlan='4' - uci set network.@switch_vlan[3].vid='4' - uci set network.@switch_vlan[3].ports='0t 2' - uci set network.@switch_vlan[4]=switch_vlan - uci set network.@switch_vlan[4].device='switch0' - uci set network.@switch_vlan[4].vlan='5' - uci set network.@switch_vlan[4].vid='5' - uci set network.@switch_vlan[4].ports='0t 3' - uci commit network - /etc/init.d/network restart - - name: Get the total number of sms_utils rules ansible.builtin.raw: | uci show sms_utils | grep -o '@rule\[[0-9]\+\]' | sort -u | wc -l @@ -134,8 +91,8 @@ - name: Change location Name ansible.builtin.raw: | uci set snmpd.@system[0].sysName={{location_name}} - uci set system.system.devicename='mgmtfw01' - uci set system.system.hostname='fel-wps-placeholder' + uci set system.system.devicename={{device_name}} + uci set system.system.hostname={{location_name}} uci set system.system.zoneName='Europe/Berlin' uci set system.system.timezone='CET-1CEST,M3.5.0,M10.5.0/3' uci commit snmpd @@ -158,24 +115,155 @@ - name: Create authorized keys file in /etc/dropbear ansible.builtin.raw: | - echo 'Insert public key here' > ../etc/dropbear/authorized_keys - - - name: Configure new LAN interface - ansible.builtin.raw: | - ipaddr="{{ item.ipaddr }}" - name="{{ item.name }}" - device="{{ item.device }}" - section_id=$(uci add network interface) - uci set network.${section_id}.proto='static' - uci set network.${section_id}.area_type='lan' - uci set network.${section_id}.ipaddr="${ipaddr}" - uci set network.${section_id}.name="${name}" - uci set network.${section_id}.delegate='1' - uci set network.${section_id}.force_link='1' - uci set network.${section_id}.netmask='255.255.255.252' + echo 'INSERT UR PUBLIC KEY HERE' > ../etc/dropbear/authorized_keys + + - name: Adjust Lan Bridge + ansible.builtin.raw: | + uci delete network.lan.igmp_snooping + uci set network.lan.device='eth0' + uci set network.lan.delegate='1' + uci set network.lan.force_link='1' + uci commit network + /etc/init.d/network restart + + - name: Configure new LAN interfaces and DHCP settings + ansible.builtin.raw: | + section_id=$(uci add network interface) + uci rename network.$section_id={{ item.name }} + uci set network.{{ item.name }}.proto='static' + uci set network.{{ item.name }}.ipaddr='{{ item.ipaddr }}' + uci set network.{{ item.name }}.netmask='255.255.255.252' + uci set network.{{ item.name }}.device='{{ item.device }}' + uci set network.{{ item.name }}.delegate='1' + uci set network.{{ item.name }}.force_link='1' + uci set network.{{ item.name }}.area_type='lan' + uci commit network + /etc/init.d/network restart + + # Configuring DHCP for the new interface + uci set dhcp.{{ item.name }}=dhcp + uci set dhcp.{{ item.name }}.leasetime='12h' + uci set dhcp.{{ item.name }}.limit='150' + uci set dhcp.{{ item.name }}.start='100' + uci set dhcp.{{ item.name }}.interface='{{ item.name }}' + uci set dhcp.{{ item.name }}.ra='server' + uci set dhcp.{{ item.name }}.dhcpv6='server' + uci set dhcp.{{ item.name }}.ignore_ipv6='1' + uci set dhcp.{{ item.name }}.force='0' + {% for option in item.dhcp_options %} + uci add_list dhcp.{{ item.name }}.dhcp_option_force="{{ option.option }},{{ option.value }}" + {% endfor %} + uci commit dhcp + /etc/init.d/dnsmasq restart + loop: '{{ lan_interfaces }}' + + - name: Update default WAN interface with dynamic values + ansible.builtin.raw: | + uci set network.wan=interface + uci set network.wan.device='eth1' + uci set network.wan.metric='1' + uci set network.wan.area_type='wan' + uci set network.wan.ipaddr='{{ wan_default.ipaddr }}' + uci set network.wan.netmask='{{ wan_default.netmask }}' + uci set network.wan.delegate='1' + uci set network.wan.force_link='0' + {% for dns_server in wan_default.dns %} + uci add_list network.wan.dns='{{ dns_server }}' + {% endfor %} + uci set network.wan.peerdns='0' + uci set network.wan.proto='static' + uci set network.wan.gateway='{{ wan_default.gateway }}' + + uci commit network + /etc/init.d/network restart + + - name: Configure WAN interfaces + ansible.builtin.raw: | + section_id=$(uci add network interface) + uci set network.$section_id.device='{{ item.device }}' + uci set network.$section_id.metric='{{ item.metric }}' + uci set network.$section_id.area_type='{{ item.area_type }}' + uci set network.$section_id.ipaddr='{{ item.ipaddr }}' + uci set network.$section_id.netmask='{{ item.netmask }}' + uci set network.$section_id.delegate='{{ item.delegate }}' + uci set network.$section_id.force_link='{{ item.force_link }}' + uci set network.$section_id.peerdns='{{ item.peerdns }}' + uci set network.$section_id.proto='{{ item.proto }}' + uci set network.$section_id.gateway='{{ item.gateway }}' + uci set network.$section_id.name='{{ item.name }}' + {% for dns_server in item.dns %} + uci add_list network.$section_id.dns='{{ dns_server }}' + {% endfor %} + uci commit network /etc/init.d/network restart + loop: '{{ wan_interfaces }}' + + - name: Add WAN interfaces to firewall.3.network + ansible.builtin.raw: | + current_network=$(uci get firewall.3.network 2>/dev/null || echo "") + if [ -z "$current_network" ]; then + uci set firewall.3.network="{{ item.name }}" + else + uci set firewall.3.network="$current_network {{ item.name }}" + fi + uci commit firewall + /etc/init.d/firewall restart + loop: '{{ wan_interfaces }}' + + - name: Update firewall configuration based on the interface's firewall_network value + ansible.builtin.raw: | + uci add_list firewall.{{ item.firewall_network }}.network='{{ item.name }}' + uci commit firewall + /etc/init.d/firewall restart loop: '{{ lan_interfaces }}' - loop_control: - index_var: index - become: true + + - name: Apply Port-Forwards + ansible.builtin.raw: | + uci add firewall redirect + uci set firewall.@redirect[-1].src_dport='{{ item.src_dport }}' + uci set firewall.@redirect[-1].dest_ip='{{ item.dest_ip }}' + uci set firewall.@redirect[-1].dest_port='{{ item.dest_port }}' + uci set firewall.@redirect[-1].src='{{ item.src }}' + uci set firewall.@redirect[-1].name='{{ item.name }}' + uci set firewall.@redirect[-1].target='{{ item.target }}' + uci set firewall.@redirect[-1].priority='{{ item.priority }}' + uci set firewall.@redirect[-1].dest='{{ item.dest }}' + uci set firewall.@redirect[-1].enabled='{{ item.enabled }}' + {% if item.reflection is defined %} + uci set firewall.@redirect[-1].reflection='{{ item.reflection }}' + {% endif %} + {% if item.src_ip is defined %} + uci set firewall.@redirect[-1].src_ip="{{ item.src_ip | join(' ') }}" + {% endif %} + {% if item.src_dip is defined %} + uci set firewall.@redirect[-1].src_dip='{{ item.src_dip }}' + {% endif %} + {% if item.proto is defined %} + uci set firewall.@redirect[-1].proto="{{ item.proto | join(' ') }}" + {% endif %} + uci commit firewall + /etc/init.d/firewall restart + loop: '{{ port_forwards }}' + + - name: Setup network + ansible.builtin.raw: | + uci set network.@switch_vlan[0].ports='0t 4' + uci set network.@switch_vlan[1].ports='0t 5' + uci add network switch_vlan + uci set network.@switch_vlan[-1].device='switch0' + uci set network.@switch_vlan[-1].vlan='3' + uci set network.@switch_vlan[-1].vid='3' + uci set network.@switch_vlan[-1].ports='0t 1' + uci add network switch_vlan + uci set network.@switch_vlan[-1].device='switch0' + uci set network.@switch_vlan[-1].vlan='4' + uci set network.@switch_vlan[-1].vid='4' + uci set network.@switch_vlan[-1].ports='0t 2' + uci add network switch_vlan + uci set network.@switch_vlan[-1].device='switch0' + uci set network.@switch_vlan[-1].vlan='5' + uci set network.@switch_vlan[-1].vid='5' + uci set network.@switch_vlan[-1].ports='0t 3' + uci commit network + /etc/init.d/network restart