Birchwood Abbey's gate is a $110 µPC configured as A Small Institute
Gate, thus providing a campus VPN on a campus Wi-Fi access point. It
routes network traffic from its ~wild~ and ~lan~ interfaces to its
-~isp~ interface (and back) with NAT. That is all the abbey requires
-of its gate, so there is no additional Ansible configuration in this
-chapter (yet).
+~isp~ interface (and back) with NAT. The abbey adds masquerading
+between its private interfaces (~lan~ and ~wg0~) and ~wild~. This
+allows access to the Abbey's IoT appliances: a HomeAssistant and an
+Ecowitt hub.
** The Abbey Gate's Network Interfaces
[[file:Institute/private/vars.yml][=Institute/private/vars.yml=]]) as the values of the ~gate_lan_mac~,
~gate_wild_mac~ and ~gate_isp_mac~ variables.
+** The Abbey's IoT Network
+
+To allow masquerading between the private subnets and ~wild~, the
+following ~iptables(8)~ rules are added. They are very similar to the
+~nat~ and ~filter~ table rules used by a small institute to masquerade
+its ~lan~ to its ~isp~ (see the [[file:Institute/README.org::*UFW Rules][UFW Rules]] of a Small Institute).
+
+#+NAME: iot-nat
+#+CAPTION: ~iot-nat~
+#+BEGIN_SRC conf
+-A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE
+-A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
+-A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE
+#+END_SRC
+
+#+NAME: iot-forward
+#+CAPTION: ~iot-forward~
+#+BEGIN_SRC conf
+-A ufw-user-forward -i lan -o wild -j ACCEPT
+-A ufw-user-forward -i wg0 -o wild -j ACCEPT
+#+END_SRC
+
+The ~lan~ interface encompasses the private LAN and the public VPN.
+The second rule includes the campus VPN.
+
+** Configure UFW for IoT
+
+The following tasks install the additional rules in =before.rules=
+and =user.rules= (as in [[file:Institute/README.org::*Configure UFW][Configure UFW]]).
+
+#+CAPTION: [[file:roles_t/abbey-gate/tasks/main.yml][=roles_t/abbey-gate/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/abbey-gate/tasks/main.yml :noweb no-export :mkdirp yes
+---
+- name: Configure UFW NAT rules for IoT.
+ become: yes
+ blockinfile:
+ block: |
+ *nat
+ <<iot-nat>>
+ COMMIT
+ dest: /etc/ufw/before.rules
+ marker: "# {mark} ABBEY MANAGED BLOCK"
+ insertafter: EOF
+ prepend_newline: yes
+
+- name: Configure UFW FORWARD rules for IoT.
+ become: yes
+ blockinfile:
+ block: |
+ *filter
+ <<iot-forward>>
+ COMMIT
+ dest: /etc/ufw/user.rules
+ marker: "# {mark} ABBEY MANAGED BLOCK"
+ insertafter: EOF
+ prepend_newline: yes
+#+END_SRC
+
** The Abbey's Starlink Configuration
The abbey connects to Starlink via Ethernet, and disables Starlink's
--- /dev/null
+---
+- name: Configure UFW NAT rules for IoT.
+ become: yes
+ blockinfile:
+ block: |
+ *nat
+ -A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE
+ -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
+ -A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE
+ COMMIT
+ dest: /etc/ufw/before.rules
+ marker: "# {mark} ABBEY MANAGED BLOCK"
+ insertafter: EOF
+ prepend_newline: yes
+
+- name: Configure UFW FORWARD rules for IoT.
+ become: yes
+ blockinfile:
+ block: |
+ *filter
+ -A ufw-user-forward -i lan -o wild -j ACCEPT
+ -A ufw-user-forward -i wg0 -o wild -j ACCEPT
+ COMMIT
+ dest: /etc/ufw/user.rules
+ marker: "# {mark} ABBEY MANAGED BLOCK"
+ insertafter: EOF
+ prepend_newline: yes
projects / Network / commitdiff