loppermann1

master
Niklas Yann Wettengel 3 years ago
parent fb0dbf28a0
commit 4d3268b80b

@ -0,0 +1,68 @@
---
ansible_host: 2a01:4f8:140:1242:ff::2
sites: []
wireguard_bb_name: 'loppermann1'
wireguard_bb_endpoint: '{{ ansible_host }}'
wireguard_bb_priv_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
34643662623262646365326237626237313962663465366263386362353630633765363239333831
3632336333633862643737333864623666353935353166620a386462373161383266616633633837
33613761303136623264346435376664356235346633656531343564333334303266666462613665
3063333638323862360a653738306563393434376532313434633162666133343962313066616432
64356233663838353838326230613839663933666663393330303535653638343861656363326632
3539623766663136323061633562643365636162633134396361
wireguard_bb_pub_key: 'im56pv9JwwveDDkk8aA++0bgHjuUvUzaun4qFAZFrVc='
wireguard_bb_ipv4: '10.222.0.16'
wireguard_bb_ipv6: 'fe80::ffbb:ffbb:16'
wireguard_bb_port: 10116
wireguard_vpn_port: 10010
wireguard_vpn_priv_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
37333837366636343138326138623361656462653861633566643831306139383964643839393234
3535393434653761643831663063386635323038343337340a336637633233623333316231346165
64643161663061356466616662336332373738306331386636373761623361343032663832663139
6465343666663861630a356231633764363030356230636631663333356665396462623862643863
66306461316633393065343063316633373530623163356530353031393132353964326238383137
3835373735333537396539353735326539633930393564376464
wireguard_vpn_address: 'fe80::d3:16ff:fee5:6239'
wireguard_vpn_client_range: '2a03:2260:1016:3000::/52'
tayga_ipv4: 10.3.0.1
tayga_pool: 10.3.0.0/16
ffrl_router_id: 10.222.0.16
ffrl_peers:
- name: 'bbaakber'
remote: '185.66.195.0'
ip4: '100.64.10.232'
peer_ip4: '100.64.10.233'
ip6: '2a03:2260:0:58b::2'
peer_ip6: '2a03:2260:0:58b::1'
- name: 'bbafra2fra'
remote: '185.66.194.0'
ip4: '100.64.10.234'
peer_ip4: '100.64.10.235'
ip6: '2a03:2260:0:58c::2'
peer_ip6: '2a03:2260:0:58c::1'
- name: 'bbaixdus'
remote: '185.66.193.0'
ip4: '100.64.10.236'
peer_ip4: '100.64.10.237'
ip6: '2a03:2260:0:58d::2'
peer_ip6: '2a03:2260:0:58d::1'
- name: 'bbbakber'
remote: '185.66.195.1'
ip4: '100.64.10.238'
peer_ip4: '100.64.10.239'
ip6: '2a03:2260:0:58e::2'
peer_ip6: '2a03:2260:0:58e::1'
- name: 'bbbfra2fra'
remote: '185.66.194.1'
ip4: '100.64.10.240'
peer_ip4: '100.64.10.241'
ip6: '2a03:2260:0:58f::2'
peer_ip6: '2a03:2260:0:58f::1'
- name: 'bbbixdus'
remote: '185.66.193.1'
ip4: '100.64.10.242'
peer_ip4: '100.64.10.243'
ip6: '2a03:2260:0:590::2'
peer_ip6: '2a03:2260:0:590::1'

@ -1,3 +1,4 @@
[fastd] [fastd]
ff-niyawe1 ff-niyawe1
ff-niyawe2 ff-niyawe2
ff-loppermann1

@ -74,7 +74,9 @@ COMMIT
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
{% if ffrl_ip4 is defined %}
{% for peer in ffrl_peers %} {% for peer in ffrl_peers %}
-A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }} -A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }}
{% endfor %} {% endfor %}
{% endif %}
COMMIT COMMIT

@ -7,6 +7,7 @@ ip -6 rule add iif nat64 table ffmyk priority 10
ip -4 rule add to 10.1.0.0/16 table ffmyk priority 10 ip -4 rule add to 10.1.0.0/16 table ffmyk priority 10
ip -4 rule add to 10.2.0.0/16 table ffmyk priority 10 ip -4 rule add to 10.2.0.0/16 table ffmyk priority 10
ip -4 rule add to 10.3.0.0/16 table ffmyk priority 10
#Alles mit Freifunk-IP - woher auch immer - gehört zu Tabelle ffmyk #Alles mit Freifunk-IP - woher auch immer - gehört zu Tabelle ffmyk
ip -4 rule add to 10.222.1.0/24 table ffmyk priority 10 ip -4 rule add to 10.222.1.0/24 table ffmyk priority 10
ip -4 rule add to 10.222.2.0/23 table ffmyk priority 10 ip -4 rule add to 10.222.2.0/23 table ffmyk priority 10

@ -27,19 +27,22 @@ import-table 42
reflect-kernel-metric true reflect-kernel-metric true
# Filtering rules. # Filtering rules.
in ip 10.222.0.0/16 allow in ip 10.0.0.0/8 allow
in ip 2a03:2260:1016::/48 allow in ip 2a03:2260:1016::/48 allow
in ip 2003:46:e028::/48 allow # finzelberg in ip 2003:46:e028::/48 allow # finzelberg
in ip fd62:44e1:da::/48 allow in ip fd62:44e1:da::/48 allow
{% if ffrl_ip4 is defined %}
in deny # ignore default routes on uplinks in deny # ignore default routes on uplinks
{% endif %}
{% for peer in ffrl_peers %} {% for peer in ffrl_peers %}
redistribute if {{ peer.name }} metric 128 redistribute if {{ peer.name }} metric 128
{% endfor %} {% endfor %}
# Only redistribute addresses from a given prefix, to avoid redistributing # Only redistribute addresses from a given prefix, to avoid redistributing
# all local addresses # all local addresses
redistribute ip 10.222.0.0/16 allow redistribute ip 10.0.0.0/8 allow
redistribute ip 2a03:2260:1016::/48 allow redistribute ip 2a03:2260:1016::/48 allow
redistribute ip 64:ff9b::/96 allow redistribute ip 64:ff9b::/96 allow
redistribute ip 2003:46:e028::/48 allow # finzelberg
redistribute ip fd62:44e1:da::/48 allow redistribute ip fd62:44e1:da::/48 allow
redistribute local deny redistribute local deny

@ -29,6 +29,10 @@ options {
hostname none; hostname none;
server-id none; server-id none;
dns64 64:ff9b::/96 {
clients { any; };
};
max-cache-size 1024M; max-cache-size 1024M;
}; };

@ -6,20 +6,24 @@
- lsb-release - lsb-release
- ethtool - ethtool
state: present state: present
when: sites | length > 0
- name: clone mesh-announce repo - name: clone mesh-announce repo
git: git:
repo: https://github.com/FreifunkMYK/mesh-announce.git repo: https://github.com/FreifunkMYK/mesh-announce.git
dest: /opt/mesh-announce dest: /opt/mesh-announce
when: sites | length > 0
- name: create respondd service - name: create respondd service
template: template:
src: respondd.service.j2 src: respondd.service.j2
dest: /etc/systemd/system/respondd.service dest: /etc/systemd/system/respondd.service
mode: 0644 mode: 0644
when: sites | length > 0
- name: start and enable respondd service - name: start and enable respondd service
systemd: systemd:
name: respondd name: respondd
state: started state: started
enabled: yes enabled: yes
when: sites | length > 0

@ -11,6 +11,11 @@
mode: 0644 mode: 0644
notify: restart tayga notify: restart tayga
- name: create systemd override folder
ansible.builtin.file:
path: /etc/systemd/system/tayga.service.d
state: directory
- name: systemd override.conf - name: systemd override.conf
template: template:
src: systemd_override.conf.j2 src: systemd_override.conf.j2

@ -4,7 +4,7 @@ ExecStartPre=/usr/bin/tayga --mktun --config /etc/tayga.conf
ExecStartPre=/usr/bin/ip link set nat64 up ExecStartPre=/usr/bin/ip link set nat64 up
ExecStartPre=/usr/bin/ip addr replace {{ tayga_ipv4 }}/32 dev nat64 ExecStartPre=/usr/bin/ip addr replace {{ tayga_ipv4 }}/32 dev nat64
ExecStartPre=/usr/bin/ip addr replace 2a03:2260:1016::64/128 dev nat64 ExecStartPre=/usr/bin/ip addr replace 2a03:2260:1016::64/128 dev nat64
ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 table ffmyk ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 proto static table ffmyk
ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 table ffmyk ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 proto static table ffmyk
ExecStart=/usr/bin/tayga --nodetach --config /etc/tayga.conf ExecStart=/usr/bin/tayga --nodetach --config /etc/tayga.conf
Restart=always Restart=always

@ -3,21 +3,31 @@ timeformat protocol iso long;
#log "bird.log" all; #log "bird.log" all;
# debug protocols all; # debug protocols all;
{% if ffrl_ip4 is defined %}
define ffrl_nat_address = {{ ffrl_ip4 }}; define ffrl_nat_address = {{ ffrl_ip4 }};
{% endif %}
define ffmyk_as = 65032; # private AS of ffmyk define ffmyk_as = 65032; # private AS of ffmyk
define ffrl_as = 201701; # public AS of rheinland define ffrl_as = 201701; # public AS of rheinland
{% if ffrl_ip4 is defined %}
router id ffrl_nat_address; router id ffrl_nat_address;
{% else %}
router id {{ ffrl_router_id }};
{% endif %}
{% if ffrl_ip4 is defined %}
ipv4 table ffrl4; ipv4 table ffrl4;
{% endif %}
ipv6 table ffrl6; ipv6 table ffrl6;
{% if ffrl_ip4 is defined %}
function is_default4() { function is_default4() {
return net ~ [ return net ~ [
0.0.0.0/0 0.0.0.0/0
]; ];
} }
{% endif %}
function is_default6() { function is_default6() {
return net ~ [ return net ~ [
@ -25,11 +35,13 @@ function is_default6() {
]; ];
} }
{% if ffrl_ip4 is defined %}
function is_ffrl_nat4() { function is_ffrl_nat4() {
return net ~ [ return net ~ [
{{ ffrl_ip4 }}/32 {{ ffrl_ip4 }}/32
]; ];
} }
{% endif %}
function is_ffrl_public_nets6() { function is_ffrl_public_nets6() {
return net ~ [ return net ~ [
@ -37,11 +49,13 @@ function is_ffrl_public_nets6() {
]; ];
} }
{% if ffrl_ip4 is defined %}
function is_ffrl_tunnel_nets4() { function is_ffrl_tunnel_nets4() {
return net ~ [ return net ~ [
100.64.0.0/10 100.64.0.0/10
]; ];
} }
{% endif %}
function is_ffrl_tunnel_nets6() { function is_ffrl_tunnel_nets6() {
return net ~ [ return net ~ [
@ -49,6 +63,7 @@ function is_ffrl_tunnel_nets6() {
]; ];
} }
{% if ffrl_ip4 is defined %}
# BGP Import Filter für Rheinland # BGP Import Filter für Rheinland
filter ebgp_ffrl_import_filter4 { filter ebgp_ffrl_import_filter4 {
if is_default4() then accept; if is_default4() then accept;
@ -60,6 +75,7 @@ filter ebgp_ffrl_export_filter4 {
if is_ffrl_nat4() then accept; if is_ffrl_nat4() then accept;
reject; reject;
} }
{% endif %}
filter ebgp_ffrl_import_filter6 { filter ebgp_ffrl_import_filter6 {
if is_default6() then accept; if is_default6() then accept;
@ -75,11 +91,13 @@ protocol device {
scan time 10; scan time 10;
} }
{% if ffrl_ip4 is defined %}
# IP-NAT-Adresse legen wir in die interne BIRD Routing Table # IP-NAT-Adresse legen wir in die interne BIRD Routing Table
protocol static ffrl_uplink_hostroute4 { protocol static ffrl_uplink_hostroute4 {
ipv4 { table ffrl4; }; ipv4 { table ffrl4; };
route {{ ffrl_ip4 }}/32 reject; route {{ ffrl_ip4 }}/32 reject;
} }
{% endif %}
protocol static ffrl_public_routes6 { protocol static ffrl_public_routes6 {
ipv6 { table ffrl6; }; ipv6 { table ffrl6; };
@ -95,6 +113,7 @@ protocol static ffrl_public_routes6 {
# import where is_ffrl_tunnel_nets4(); # import where is_ffrl_tunnel_nets4();
#} #}
{% if ffrl_ip4 is defined %}
# Wir exportieren über Rheinland gelernte Routen in die Kernel Table 47 (ffrl) # Wir exportieren über Rheinland gelernte Routen in die Kernel Table 47 (ffrl)
protocol kernel kernel_ffrl4 { protocol kernel kernel_ffrl4 {
scan time 30; scan time 30;
@ -108,6 +127,7 @@ protocol kernel kernel_ffrl4 {
}; };
kernel table 42; kernel table 42;
}; };
{% endif %}
protocol kernel kernel_ffrl6 { protocol kernel kernel_ffrl6 {
scan time 30; scan time 30;
@ -122,6 +142,7 @@ protocol kernel kernel_ffrl6 {
kernel table 42; kernel table 42;
}; };
{% if ffrl_ip4 is defined %}
# BGP Template für Rheinland Peerings # BGP Template für Rheinland Peerings
template bgp ffrl_uplink4 { template bgp ffrl_uplink4 {
local as ffmyk_as; local as ffmyk_as;
@ -134,6 +155,7 @@ template bgp ffrl_uplink4 {
}; };
direct; direct;
}; };
{% endif %}
template bgp ffrl_uplink6 { template bgp ffrl_uplink6 {
local as ffmyk_as; local as ffmyk_as;
@ -148,10 +170,12 @@ template bgp ffrl_uplink6 {
}; };
{% for peer in ffrl_peers %} {% for peer in ffrl_peers %}
{% if ffrl_ip4 is defined %}
protocol bgp ffrl_{{ peer.name }}4 from ffrl_uplink4 { protocol bgp ffrl_{{ peer.name }}4 from ffrl_uplink4 {
source address {{ peer.ip4 }}; source address {{ peer.ip4 }};
neighbor {{ peer.peer_ip4 }} as 201701; neighbor {{ peer.peer_ip4 }} as 201701;
}; };
{% endif %}
protocol bgp ffrl_{{ peer.name }}6 from ffrl_uplink6 { protocol bgp ffrl_{{ peer.name }}6 from ffrl_uplink6 {
source address {{ peer.ip6 }}; source address {{ peer.ip6 }};

@ -8,7 +8,11 @@ Remote={{ item.remote }}
ExecUpPost="/usr/bin/ip link set dev {{ item.name }} mtu 1400; /usr/bin/ip tunnel change {{ item.name }} ttl 64" ExecUpPost="/usr/bin/ip link set dev {{ item.name }} mtu 1400; /usr/bin/ip tunnel change {{ item.name }} ttl 64"
IP=static IP=static
{% if ffrl_ip4 is defined %}
Address=('{{ item.ip4 }}/31' '{{ ffrl_ip4 }}/32') Address=('{{ item.ip4 }}/31' '{{ ffrl_ip4 }}/32')
{% else %}
Address=('{{ item.ip4 }}/31')
{% endif %}
IP6=static IP6=static
Address6=('{{ item.ip6 }}/64') Address6=('{{ item.ip6 }}/64')

Loading…
Cancel
Save