From 122d0b1dca6f35a009e1ad29b95e98f6e9ee4ab6 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Fri, 27 Jun 2025 20:18:32 -0600 Subject: [PATCH] Update routing and masquerading for wild net IoT access. Move forwarding rules to the ufw-user-forward chain following the example of The Small Institute. --- README.org | 65 +++++++++++++++++++++++++++++-- roles_t/abbey-gate/tasks/main.yml | 27 +++++++++++++ 2 files changed, 89 insertions(+), 3 deletions(-) create mode 100644 roles_t/abbey-gate/tasks/main.yml diff --git a/README.org b/README.org index 8dc6fe6..dcb868f 100644 --- a/README.org +++ b/README.org @@ -1526,9 +1526,10 @@ Assistant appliance (Raspberry Pi). Birchwood Abbey's gate is a $110 µPC configured as A Small Institute Gate, thus providing a campus VPN on a campus Wi-Fi access point. It routes network traffic from its ~wild~ and ~lan~ interfaces to its -~isp~ interface (and back) with NAT. That is all the abbey requires -of its gate, so there is no additional Ansible configuration in this -chapter (yet). +~isp~ interface (and back) with NAT. The abbey adds masquerading +between its private interfaces (~lan~ and ~wg0~) and ~wild~. This +allows access to the Abbey's IoT appliances: a HomeAssistant and an +Ecowitt hub. ** The Abbey Gate's Network Interfaces @@ -1546,6 +1547,64 @@ The MAC address of each interface is set in =private/vars.yml= (see [[file:Institute/private/vars.yml][=Institute/private/vars.yml=]]) as the values of the ~gate_lan_mac~, ~gate_wild_mac~ and ~gate_isp_mac~ variables. +** The Abbey's IoT Network + +To allow masquerading between the private subnets and ~wild~, the +following ~iptables(8)~ rules are added. They are very similar to the +~nat~ and ~filter~ table rules used by a small institute to masquerade +its ~lan~ to its ~isp~ (see the [[file:Institute/README.org::*UFW Rules][UFW Rules]] of a Small Institute). + +#+NAME: iot-nat +#+CAPTION: ~iot-nat~ +#+BEGIN_SRC conf +-A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE +-A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE +-A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE +#+END_SRC + +#+NAME: iot-forward +#+CAPTION: ~iot-forward~ +#+BEGIN_SRC conf +-A ufw-user-forward -i lan -o wild -j ACCEPT +-A ufw-user-forward -i wg0 -o wild -j ACCEPT +#+END_SRC + +The ~lan~ interface encompasses the private LAN and the public VPN. +The second rule includes the campus VPN. + +** Configure UFW for IoT + +The following tasks install the additional rules in =before.rules= +and =user.rules= (as in [[file:Institute/README.org::*Configure UFW][Configure UFW]]). + +#+CAPTION: [[file:roles_t/abbey-gate/tasks/main.yml][=roles_t/abbey-gate/tasks/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/abbey-gate/tasks/main.yml :noweb no-export :mkdirp yes +--- +- name: Configure UFW NAT rules for IoT. + become: yes + blockinfile: + block: | + *nat + <> + COMMIT + dest: /etc/ufw/before.rules + marker: "# {mark} ABBEY MANAGED BLOCK" + insertafter: EOF + prepend_newline: yes + +- name: Configure UFW FORWARD rules for IoT. + become: yes + blockinfile: + block: | + *filter + <> + COMMIT + dest: /etc/ufw/user.rules + marker: "# {mark} ABBEY MANAGED BLOCK" + insertafter: EOF + prepend_newline: yes +#+END_SRC + ** The Abbey's Starlink Configuration The abbey connects to Starlink via Ethernet, and disables Starlink's diff --git a/roles_t/abbey-gate/tasks/main.yml b/roles_t/abbey-gate/tasks/main.yml new file mode 100644 index 0000000..a05c12c --- /dev/null +++ b/roles_t/abbey-gate/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Configure UFW NAT rules for IoT. + become: yes + blockinfile: + block: | + *nat + -A POSTROUTING -s {{ private_net_cidr }} -o wild -j MASQUERADE + -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE + -A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE + COMMIT + dest: /etc/ufw/before.rules + marker: "# {mark} ABBEY MANAGED BLOCK" + insertafter: EOF + prepend_newline: yes + +- name: Configure UFW FORWARD rules for IoT. + become: yes + blockinfile: + block: | + *filter + -A ufw-user-forward -i lan -o wild -j ACCEPT + -A ufw-user-forward -i wg0 -o wild -j ACCEPT + COMMIT + dest: /etc/ufw/user.rules + marker: "# {mark} ABBEY MANAGED BLOCK" + insertafter: EOF + prepend_newline: yes -- 2.25.1