ffrl uplink and fastd split

7 years ago · 99dddff862
parent d2270e2e50
commit 99dddff862
23 changed files with 437 additions and 94 deletions
--- a/roles/configure_iptables/templates/ip6tables.rules
+++ b/roles/configure_iptables/templates/ip6tables.rules
@ -4,12 +4,22 @@
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
+{% if 'fastd' in group_names %}
 {% for site in sites %}
 -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
-{% for peer in wireguard_bb_peers %}
-A PREROUTING -i bb{{ peer.name }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
+{% endif %}
+
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in groups['fastd'] %}
+-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
+{% endfor %}
+{% endif %}
+{% if 'fastd' in group_names %}
+{% for peer in groups['ffrl_uplink'] %}
+-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
+{% endif %}
 COMMIT
 *filter
 :INPUT DROP [0:0]
@ -21,6 +31,8 @@ COMMIT

 # SSH-Server
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+
+{% if 'fastd' in group_names %}
 # dns
 -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -p udp -m udp --dport 53 -j ACCEPT
@ -33,19 +45,35 @@ COMMIT
 -A INPUT -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j ACCEPT
 -A INPUT -s {{ site.wireguard_mesh_address }}/48 -p gre -j ACCEPT
 {% endfor %}
+{% endif %}
 # wireguard_backbone
-A INPUT -s fdff:4d59:4bbb::/48 -p gre -j ACCEPT
-{% for peer in wireguard_bb_peers %}
-A INPUT -i bb{{ peer.name }} -p udp --dport 6696 -j ACCEPT
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in groups['fastd'] %}
+-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 {% endfor %}
+{% endif %}
+{% if 'fastd' in group_names %}
+{% for peer in groups['ffrl_uplink'] %}
+-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
+{% endfor %}
+{% endif %}
 # MOSH
 -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
+
+# ffrl bgp
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in ffrl_peers %}
+-A INPUT -i {{ peer.name }} -p tcp -m tcp --dport 179 -j ACCEPT
+{% endfor %}
+{% endif %}
 # LOG
 -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4

+{% if 'fastd' in group_names %}
 {% for site in sites %}
 -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT
 {% endfor %}
+{% endif %}
 -A FORWARD -o {{ ansible_default_ipv6.interface }} -j REJECT
 COMMIT
 *nat
@ -53,5 +81,4 @@ COMMIT
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o mullvad -j MASQUERADE
 COMMIT
--- a/roles/configure_iptables/templates/iptables.rules
+++ b/roles/configure_iptables/templates/iptables.rules
@ -4,12 +4,22 @@
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
+{% if 'fastd' in group_names %}
 {% for site in sites %}
 -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
-{% for peer in wireguard_bb_peers %}
-A PREROUTING -i bb{{ peer.name }} -j MARK --set-xmark 0x1/0xffffffff
+{% endif %}
+
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in groups['fastd'] %}
+-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
+{% endfor %}
+{% endif %}
+{% if 'fastd' in group_names %}
+{% for peer in groups['ffrl_uplink'] %}
+-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
+{% endif %}
 COMMIT
 *filter
 :INPUT DROP [0:0]
@ -21,6 +31,8 @@ COMMIT

 # SSH-Server
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+
+{% if 'fastd' in group_names %}
 # dns
 -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -p udp -m udp --dport 53 -j ACCEPT
@ -32,19 +44,38 @@ COMMIT
 -A INPUT -p udp -m udp --dport 123 -j ACCEPT
 # fastd
 -A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT
+{% endif %}
 # MOSH
 -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
+
+{% if 'ffrl_uplink' in group_names %}
+# ffrl-gre
+{% for peer in ffrl_peers %}
+-A INPUT -p gre -s {{ peer.remote }} -j ACCEPT
+{% endfor %}
+# ffrl bgp
+{% for peer in ffrl_peers %}
+-A INPUT -i {{ peer.name }} -p tcp -m tcp --dport 179 -j ACCEPT
+{% endfor %}
+{% endif %}
+
 -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4

+{% if 'fastd' in group_names %}
 {% for site in sites %}
 -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT
 {% endfor %}
-A FORWARD -o {{ ansible_default_ipv4.interface }} -j REJECT
+{% endif %}
+
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o mullvad -j MASQUERADE
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in ffrl_peers %}
+-A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }}
+{% endfor %}
+{% endif %}
 COMMIT
--- a/roles/configure_static_routes/files/ffmyk-iproute.sh
+++ b/roles/configure_static_routes/files/ffmyk-iproute.sh
@ -12,4 +12,5 @@ ip -4 rule add to 10.222.16.0/20 table ffmyk priority 10
 ip -4 rule add to 10.222.32.0/19 table ffmyk priority 10
 ip -4 rule add to 10.222.64.0/18 table ffmyk priority 10
 ip -4 rule add to 10.222.128.0/17 table ffmyk priority 10
-ip -6 rule add to 2001:470:cd45:FF00::/56 table ffmyk priority 10
+ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10
+ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10
--- a/roles/configure_static_routes/tasks/fastd_tasks.yml
+++ b/roles/configure_static_routes/tasks/fastd_tasks.yml
@ -0,0 +1,14 @@
+---
+- name: copy site specific iproute up config script
+  template:
+      src: ffmyk-iproute-up.j2
+      dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh
+      mode: 0744
+  with_items: "{{ sites }}"
+
+- name: copy site specific iproute down config script
+  template:
+      src: ffmyk-iproute-down.j2
+      dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh
+      mode: 0744
+  with_items: "{{ sites }}"
--- a/roles/configure_static_routes/tasks/main.yml
+++ b/roles/configure_static_routes/tasks/main.yml
@ -4,25 +4,20 @@
      path: /etc/iproute2/rt_tables
      line: 42 ffmyk

+- name: name ffrl routing table
+  lineinfile:
+      path: /etc/iproute2/rt_tables
+      line: 47 ffrl
+  when: "'ffrl_uplink' in group_names"
+
 - name: copy ffmyk iproute config script
  copy:
      src: ffmyk-iproute.sh
      dest: /usr/local/bin/ffmyk-iproute.sh
      mode: 0744

- name: copy site specific iproute up config script
-  template:
-      src: ffmyk-iproute-up.j2
-      dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh
-      mode: 0744
-  with_items: "{{ sites }}"
-
- name: copy site specific iproute down config script
-  template:
-      src: ffmyk-iproute-down.j2
-      dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh
-      mode: 0744
-  with_items: "{{ sites }}"
+- include_tasks: fastd_tasks.yml
+  when: "'fastd' in group_names"

 - name: copy ffmyk iproute systemd service
  copy:
--- a/roles/configure_static_routes/templates/ffmyk-iproute-down.j2
+++ b/roles/configure_static_routes/templates/ffmyk-iproute-down.j2
@ -2,6 +2,7 @@

 ip -4 route del {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk
 ip -6 route del {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk
+ip -6 route del {{item.site_net6 }} dev bat{{ item.name }} proto static table ffmyk

 ip -4 rule del iif bat{{ item.name }} table ffmyk
 ip -6 rule del iif bat{{ item.name }} table ffmyk
--- a/roles/configure_static_routes/templates/ffmyk-iproute-up.j2
+++ b/roles/configure_static_routes/templates/ffmyk-iproute-up.j2
@ -10,3 +10,4 @@ ip -6 rule add from all iif bat{{ item.name }} type unreachable priority 200

 ip -4 route replace {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk
 ip -6 route replace {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk
+ip -6 route replace {{item.site_net6 }} dev bat{{ item.name }} proto static table ffmyk
--- a/roles/install_babeld/tasks/main.yml
+++ b/roles/install_babeld/tasks/main.yml
@ -1,10 +1,8 @@
 ---
 - name: install fastd
-  become: yes
-  become_user: '{{ aur_user }}'
-  aur:
+  pacman:
      name: babeld
-      tool: yaourt
+      state: present

 - name: babeld.conf
  template:
--- a/roles/install_babeld/templates/babeld.conf.j2
+++ b/roles/install_babeld/templates/babeld.conf.j2
@ -5,10 +5,16 @@
 ipv6-subtrees true

 # You must provide at least one interface for babeld to operate on.
-{% for peer in wireguard_bb_peers %}
-interface bb{{ peer.name }}
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in groups['fastd'] %}
+interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
-#interface wlan0
+{% endif %}
+{% if 'fastd' in group_names %}
+{% for peer in groups['ffrl_uplink'] %}
+interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
+{% endfor %}
+{% endif %}

 # Global options you might want to set. There are many more, see the man page.
 #debug 1
@ -44,16 +50,14 @@ import-table 42
 #in ip 2001:db8:cafe:cafe::/64 allow
 #in deny

-redistribute metric 128
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in ffrl_peers %}
+redistribute if {{ peer.name }} metric 128
+{% endfor %}
+{% endif %}
 # Only redistribute addresses from a given prefix, to avoid redistributing
 # all local addresses
-redistribute ip 10.222.0.0/16 local allow
-redistribute ip 2001:470:cd45:FF00::/56 local allow
+redistribute ip 10.222.0.0/16 allow
+redistribute ip 2001:470:cd45:FF00::/56 allow
+redistribute ip 2a03:2260:1016::/48 allow
 redistribute local deny
-
-# Redistribute a default route obtained otherwise (here, through DHCP or
-# configured statically).
-# Note that babeld ignores kernel routes with proto 3 (boot) by default.
-#redistribute proto 3 ip 0.0.0.0/0 eq 0 metric 50
-#redistribute proto 3 ip ::/0 eq 0 metric 50
-
--- a/roles/install_bind/templates/named.conf.j2
+++ b/roles/install_bind/templates/named.conf.j2
@ -22,7 +22,7 @@ options {
 {% endfor %}
    };

-    allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; };
+    allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; 2a03:2260:1016::/48; };
    allow-transfer { none; };
    allow-update { none; };

--- a/roles/install_fastd/tasks/main.yml
+++ b/roles/install_fastd/tasks/main.yml
@ -1,10 +1,8 @@
 ---
 - name: install fastd
-  become: yes
-  become_user: '{{ aur_user }}'
-  aur:
+  pacman:
      name: fastd
-      tool: yaourt
+      state: present

 - name: create site folder
  file:
--- a/roles/install_radvd/templates/radvd.conf.j2
+++ b/roles/install_radvd/templates/radvd.conf.j2
@ -18,7 +18,7 @@ interface bat{{ site.name }}

        RDNSS {{ site.bat_ipv6 }}
        {
-                AdvRDNSSLifetime 30;
+                AdvRDNSSLifetime 900;
        };

 };
--- a/roles/install_wireguard_backbone/tasks/fastd_tasks.yml
+++ b/roles/install_wireguard_backbone/tasks/fastd_tasks.yml
@ -0,0 +1,29 @@
+---
+- name: create wireguard config for peers
+  template:
+      src: wg.conf.j2
+      dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
+      mode: 0400
+  with_items: "{{ groups['ffrl_uplink'] }}"
+
+- name: create wireguard up scripts for peers
+  template:
+      src: up.sh.j2
+      dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
+      mode: 0744
+  with_items: "{{ groups['ffrl_uplink'] }}"
+
+- name: create wireguard down scripts for peers
+  template:
+      src: down.sh.j2
+      dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
+      mode: 0744
+  with_items: "{{ groups['ffrl_uplink'] }}"
+
+- name: start and enable wireguard mesh
+  systemd:
+      name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
+      enabled: yes
+      state: started
+      daemon_reload: yes
+  with_items: "{{ groups['ffrl_uplink'] }}"
--- a/roles/install_wireguard_backbone/tasks/ffrl_uplink_tasks.yml
+++ b/roles/install_wireguard_backbone/tasks/ffrl_uplink_tasks.yml
@ -0,0 +1,29 @@
+---
+- name: create wireguard config for peers
+  template:
+      src: wg.conf.j2
+      dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
+      mode: 0400
+  with_items: "{{ groups['fastd'] }}"
+
+- name: create wireguard up scripts for peers
+  template:
+      src: up.sh.j2
+      dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
+      mode: 0744
+  with_items: "{{ groups['fastd'] }}"
+
+- name: create wireguard down scripts for peers
+  template:
+      src: down.sh.j2
+      dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
+      mode: 0744
+  with_items: "{{ groups['fastd'] }}"
+
+- name: start and enable wireguard mesh
+  systemd:
+      name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
+      enabled: yes
+      state: started
+      daemon_reload: yes
+  with_items: "{{ groups['fastd'] }}"
--- a/roles/install_wireguard_backbone/tasks/main.yml
+++ b/roles/install_wireguard_backbone/tasks/main.yml
@ -1,34 +1,11 @@
 ---
- name: create wireguard config for peers
-  template:
-      src: wg.conf.j2
-      dest: /etc/wireguard/wgbb{{ item.name }}.conf
-      mode: 0400
-  with_items: "{{ wireguard_bb_peers }}"
-
- name: create wireguard up scripts for peers
-  template:
-      src: up.sh.j2
-      dest: /etc/wireguard/upbb{{ item.name }}.sh
-      mode: 0744
-  with_items: "{{ wireguard_bb_peers }}"
-
- name: create wireguard down scripts for peers
-  template:
-      src: down.sh.j2
-      dest: /etc/wireguard/downbb{{ item.name }}.sh
-      mode: 0744
-  with_items: "{{ wireguard_bb_peers }}"
-
 - name: create wireguard backbone service template
  copy:
      src: wgbackbone@.service
      dest: /etc/systemd/system/wgbackbone@.service

- name: start and enable wireguard mesh
-  systemd:
-      name: wgbackbone@{{ item.name }}.service
-      enabled: yes
-      state: started
-      daemon_reload: yes
-  with_items: "{{ wireguard_bb_peers }}"
+- include_tasks: ffrl_uplink_tasks.yml
+  when: "'ffrl_uplink' in group_names"
+
+- include_tasks: fastd_tasks.yml
+  when: "'fastd' in group_names"
--- a/roles/install_wireguard_backbone/templates/down.sh.j2
+++ b/roles/install_wireguard_backbone/templates/down.sh.j2
@ -1,5 +1,5 @@
 #!/bin/bash
-ip -4 rule del iif bb{{ item.name }} table ffmyk
-ip -6 rule del iif bb{{ item.name }} table ffmyk
-ip link set down dev bb{{ item.name }}
-ip link del bb{{ item.name }}
+ip -4 rule del iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk
+ip -6 rule del iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk
+ip link set down dev bb{{ hostvars[item]['wireguard_bb_name'] }}
+ip link del bb{{ hostvars[item]['wireguard_bb_name'] }}
--- a/roles/install_wireguard_backbone/templates/up.sh.j2
+++ b/roles/install_wireguard_backbone/templates/up.sh.j2
@ -1,8 +1,8 @@
 #!/bin/bash
-ip link add bb{{ item.name }} type wireguard
-wg setconf bb{{ item.name }} /etc/wireguard/wgbb{{ item.name }}.conf
-ip addr add {{ item.address6 }} dev bb{{ item.name }}
-ip addr add {{ wireguard_bb_ipv4 }}/32 peer {{ item.address }}/32 dev bb{{ item.name }}
-ip link set up dev bb{{ item.name }}
-ip -4 rule add iif bb{{ item.name }} table ffmyk priority 10
-ip -6 rule add iif bb{{ item.name }} table ffmyk priority 10
+ip link add bb{{ hostvars[item]['wireguard_bb_name'] }} type wireguard
+wg setconf bb{{ hostvars[item]['wireguard_bb_name'] }} /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
+ip addr add {{ wireguard_bb_ipv6 }} dev bb{{ hostvars[item]['wireguard_bb_name'] }}
+ip addr add {{ wireguard_bb_ipv4 }}/32 peer {{ hostvars[item]['wireguard_bb_ipv4'] }}/32 dev bb{{ hostvars[item]['wireguard_bb_name'] }}
+ip link set up dev bb{{ hostvars[item]['wireguard_bb_name'] }}
+ip -4 rule add iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10
+ip -6 rule add iif bb{{ hostvars[item]['wireguard_bb_name'] }} table ffmyk priority 10
--- a/roles/install_wireguard_backbone/templates/wg.conf.j2
+++ b/roles/install_wireguard_backbone/templates/wg.conf.j2
@ -1,9 +1,9 @@
 [Interface]
-ListenPort = {{ item.local_port }}
-PrivateKey = {{ wireguard_bb_key }}
+ListenPort = {{ hostvars[item]['wireguard_bb_port'] }}
+PrivateKey = {{ wireguard_bb_priv_key }}

 [Peer]
-PublicKey = {{ item.key }}
+PublicKey = {{ hostvars[item]['wireguard_bb_pub_key'] }}
 AllowedIPs = 0.0.0.0/0,::/0
-Endpoint = [{{ item.endpoint }}]:{{ item.remote_port }}
+Endpoint = [{{ hostvars[item]['wireguard_bb_endpoint'] }}]:{{ wireguard_bb_port }}
 PersistentKeepalive = 30
--- a/roles/setup_ffrl_tunnel/handlers/main.yml
+++ b/roles/setup_ffrl_tunnel/handlers/main.yml
@ -0,0 +1,9 @@
+---
+- name: reenable netctl
+  command: netctl reenable {{ item.name }}
+  with_items: "{{ ffrl_peers }}"
+
+- name: reload bird
+  systemd:
+      name: bird.service
+      state: reloaded
--- a/roles/setup_ffrl_tunnel/tasks/main.yml
+++ b/roles/setup_ffrl_tunnel/tasks/main.yml
@ -0,0 +1,36 @@
+---
+- name: create netctl config
+  template:
+      src: netctl
+      dest: /etc/netctl/{{ item.name }}
+  with_items: "{{ ffrl_peers }}"
+  notify: reenable netctl
+
+- name: enable netctl config
+  command: netctl enable {{ item.name }}
+  args:
+      creates: /etc/systemd/system/netctl@{{ item.name }}.service
+  with_items: "{{ ffrl_peers }}"
+
+- name: start netctl config
+  systemd:
+      name: netctl@{{ item.name }}.service
+      state: started
+  with_items: "{{ ffrl_peers }}"
+
+- name: install bird
+  pacman:
+      name: bird
+      state: present
+
+- name: create bird config
+  template:
+      src: bird.conf
+      dest: /etc/bird.conf
+  notify: reload bird
+
+- name: start and enable bird
+  systemd:
+      name: bird.service
+      state: started
+      enabled: yes
--- a/roles/setup_ffrl_tunnel/templates/bird.conf
+++ b/roles/setup_ffrl_tunnel/templates/bird.conf
@ -0,0 +1,160 @@
+timeformat protocol iso long;
+
+log "bird.log" all;
+# debug protocols all;
+
+define ffrl_nat_address = {{ ffrl_ip4 }};
+
+define ffmyk_as = 65032; # private AS of ffmyk
+define ffrl_as = 201701; # public AS of rheinland
+
+router id ffrl_nat_address;
+
+ipv4 table ffrl4;
+ipv6 table ffrl6;
+
+function is_default4() {
+    return net ~ [
+        0.0.0.0/0
+    ];
+}
+
+function is_default6() {
+    return net ~ [
+        ::/0
+    ];
+}
+
+function is_ffrl_nat4() {
+    return net ~ [
+        {{ ffrl_ip4 }}/32
+    ];
+}
+
+function is_ffrl_public_nets6() {
+    return net ~ [
+        2a03:2260:1016::/48{48,56}
+    ];
+}
+
+function is_ffrl_tunnel_nets4() {
+    return net ~ [
+        100.64.0.0/10
+    ];
+}
+
+function is_ffrl_tunnel_nets6() {
+    return net ~ [
+        2a03:2260:0::/48
+    ];
+}
+
+# BGP Import Filter für Rheinland
+filter ebgp_ffrl_import_filter4 {
+    if is_default4() then accept;
+    reject;
+}
+
+# BGP Export Filter für Rheinland
+filter ebgp_ffrl_export_filter4 {
+    if is_ffrl_nat4() then accept;
+    reject;
+}
+
+filter ebgp_ffrl_import_filter6 {
+    if is_default6() then accept;
+    reject;
+}
+
+filter ebgp_ffrl_export_filter6 {
+    if is_ffrl_public_nets6() then accept;
+    reject;
+}
+
+protocol device {
+	scan time 10;
+}
+
+# IP-NAT-Adresse legen wir in die interne BIRD Routing Table
+protocol static ffrl_uplink_hostroute4 {
+    ipv4 { table ffrl4; };
+    route {{ ffrl_ip4 }}/32 reject;
+}
+
+protocol static ffrl_public_routes6 {
+    ipv6 { table ffrl6; };
+    route 2a03:2260:1016::/48 reject;
+}
+
+# Wir legen die Transfernetze in die interne BIRD Routing Table
+#protocol direct {
+#    ipv4;
+#    table ffrl4;
+#    interface {% for peer in ffrl_peers %}"{{ peer.name }}", {% endfor %};
+#    import where is_ffrl_tunnel_nets4();
+#}
+
+# Wir exportieren über Rheinland gelernte Routen in die Kernel Table 47 (ffrl)
+protocol kernel kernel_ffrl4 {
+    scan time 30;
+    ipv4 {
+		import none;
+		export filter {
+			krt_prefsrc = ffrl_nat_address;
+			accept;
+		};
+		table ffrl4;
+	};
+    kernel table 42;
+};
+
+protocol kernel kernel_ffrl6 {
+    scan time 30;
+	ipv6 {
+		import none;
+		export filter {
+			if is_default6() then accept;
+			reject;
+		};
+		table ffrl6;
+	};
+    kernel table 42;
+};
+
+# BGP Template für Rheinland Peerings
+template bgp ffrl_uplink4 {
+    local as ffmyk_as;
+    ipv4 {
+		table ffrl4;
+		import keep filtered;
+		import filter ebgp_ffrl_import_filter4;
+		export filter ebgp_ffrl_export_filter4;
+		next hop self;
+	};
+    direct;
+};
+
+template bgp ffrl_uplink6 {
+    local as ffmyk_as;
+    ipv6 {
+		table ffrl6;
+		import keep filtered;
+		import filter ebgp_ffrl_import_filter6;
+		export filter ebgp_ffrl_export_filter6;
+		next hop self;
+	};
+    direct;
+};
+
+{% for peer in ffrl_peers %}
+protocol bgp ffrl_{{ peer.name }}4 from ffrl_uplink4 {
+    source address {{ peer.ip4 }};
+    neighbor {{ peer.peer_ip4 }} as 201701;
+};
+
+protocol bgp ffrl_{{ peer.name }}6 from ffrl_uplink6 {
+    source address {{ peer.ip6 }};
+    neighbor {{ peer.peer_ip6 }} as 201701;
+}
+
+{% endfor %}
--- a/roles/setup_ffrl_tunnel/templates/netctl
+++ b/roles/setup_ffrl_tunnel/templates/netctl
@ -0,0 +1,14 @@
+Connection=tunnel
+Interface={{ item.name }}
+
+Mode=gre
+Local={{ ansible_default_ipv4.address }}
+Remote={{ item.remote }}
+
+ExecUpPost="/usr/bin/ip link set dev {{ item.name }} mtu 1400; /usr/bin/ip tunnel change {{ item.name }} ttl 64"
+
+IP=static
+Address=('{{ item.ip4 }}/31' '{{ ffrl_ip4 }}/32')
+
+IP6=static
+Address6=('{{ item.ip6 }}/64')
--- a/setup_fastd.yml
+++ b/setup_fastd.yml
@ -1,9 +1,9 @@
 ---
 - name: setup fastds
-  hosts: fastds
+  hosts: fastd
  user: root
  roles:
-      - install_yaourt
+      #- install_yaourt
      - configure_journald
      - configure_sysctl
      - configure_iptables
@ -19,14 +19,33 @@
      - install_radvd
      - install_bind
      - install_wireguard
-      - install_wireguard_mesh
+      #- install_wireguard_mesh
      - install_wireguard_backbone
      - install_babeld
      - install_fastd
      #- install_monitoring
      - install_admin_packages
 - name: install openvpn uplink
-  hosts: mullvad_fastds
+  hosts: mullvad_fastd
  user: root
  roles:
      - install_openvpn
+- name: setup ffrl
+  hosts: ffrl_uplink
+  user: root
+  roles:
+      - configure_journald
+      - configure_sysctl
+      - configure_iptables
+      - configure_static_routes
+      - install_cronie
+      #- install_php
+      #- install_nginx
+      - install_ntp
+      - install_haveged
+      - install_wireguard
+      - install_wireguard_backbone
+      - install_babeld
+      - setup_ffrl_tunnel
+      #- install_monitoring
+      - install_admin_packages