From 5f85269c8f93ac14c6f1a6b048d9449aa05b0d95 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Sat, 31 May 2025 22:16:26 -0600 Subject: [PATCH] Use private/gate-dhcpd.conf for the "wild" subnet. Replaced the awkward "gate wifi" name with "wild" while replacing the assumption that there is one Wi-Fi AP on the subnet. --- README.org | 255 +++++++++++++++++----------------- inst | 4 +- playbooks/check-inst-vars.yml | 2 +- private/gate-dhcpd.conf | 19 +++ private/vars.yml | 35 ++--- roles_t/core/tasks/main.yml | 2 +- roles_t/gate/tasks/main.yml | 51 +++---- 7 files changed, 185 insertions(+), 183 deletions(-) create mode 100644 private/gate-dhcpd.conf diff --git a/README.org b/README.org index 50c3774..cac9d65 100644 --- a/README.org +++ b/README.org @@ -812,9 +812,9 @@ configuration using mostly-default VirtualBoxes (described [[*Testing][here]]). #+BEGIN_SRC conf :tangle private/vars.yml private_net_cidr: 192.168.56.0/24 +wild_net_cidr: 192.168.57.0/24 public_vpn_net_cidr: 10.177.86.0/24 campus_vpn_net_cidr: 10.84.138.0/24 -gate_wifi_net_cidr: 192.168.57.0/24 #+END_SRC The network addresses are needed in several additional formats, e.g. @@ -829,8 +829,7 @@ private_net: "{{ private_net_cidr | ansible.utils.ipaddr('network') }}" private_net_mask: "{{ private_net_cidr | ansible.utils.ipaddr('netmask') }}" -private_net_and_mask: - "{{ private_net }} {{ private_net_mask }}" +private_net_and_mask: "{{ private_net }} {{ private_net_mask }}" public_vpn_net: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('network') }}" public_vpn_net_mask: @@ -843,14 +842,12 @@ campus_vpn_net_mask: "{{ campus_vpn_net_cidr | ansible.utils.ipaddr('netmask') }}" campus_vpn_net_and_mask: "{{ campus_vpn_net }} {{ campus_vpn_net_mask }}" -gate_wifi_net: - "{{ gate_wifi_net_cidr | ansible.utils.ipaddr('network') }}" -gate_wifi_net_mask: - "{{ gate_wifi_net_cidr | ansible.utils.ipaddr('netmask') }}" -gate_wifi_net_and_mask: - "{{ gate_wifi_net }} {{ gate_wifi_net_mask }}" -gate_wifi_broadcast: - "{{ gate_wifi_net_cidr | ansible.utils.ipaddr('broadcast') }}" +wild_net: "{{ wild_net_cidr | ansible.utils.ipaddr('network') }}" +wild_net_mask: + "{{ wild_net_cidr | ansible.utils.ipaddr('netmask') }}" +wild_net_and_mask: "{{ wild_net }} {{ wild_net_mask }}" +wild_net_broadcast: + "{{ wild_net_cidr | ansible.utils.ipaddr('broadcast') }}" #+END_SRC The institute prefers to configure its services with IP addresses @@ -872,27 +869,26 @@ virtual machines and networks, and the VirtualBox user manual uses Finally, five host addresses are needed frequently in the Ansible code. The first two are Core's and Gate's addresses on the private Ethernet. The next two are Gate's and the campus Wi-Fi's addresses on -the Gate-WiFi subnet, the tiny Ethernet (~gate_wifi_net~) between Gate -and the (untrusted) campus Wi-Fi access point. The last is Front's -address on the public VPN, perversely called ~front_private_addr~. -The following code block picks the obvious IP addresses for Core -(host 1) and Gate (host 2). +the "wild" subnet, the untrusted Ethernet (~wild_net~) between Gate +and the campus Wi-Fi access point(s) and IoT appliances. The last is +Front's address on the public VPN, perversely called +~front_private_addr~. The following code block picks the obvious IP +addresses for Core (host 1) and Gate (host 2). #+CAPTION: [[file:private/vars.yml][=private/vars.yml=]] #+BEGIN_SRC conf :tangle private/vars.yml core_addr_cidr: "{{ private_net_cidr | ansible.utils.ipaddr('1') }}" gate_addr_cidr: "{{ private_net_cidr | ansible.utils.ipaddr('2') }}" -gate_wifi_addr_cidr: - "{{ gate_wifi_net_cidr | ansible.utils.ipaddr('1') }}" -wifi_wan_addr_cidr: - "{{ gate_wifi_net_cidr | ansible.utils.ipaddr('2') }}" +gate_wild_addr_cidr: + "{{ wild_net_cidr | ansible.utils.ipaddr('1') }}" +wifi_wan_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('2') }}" front_private_addr_cidr: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('1') }}" core_addr: "{{ core_addr_cidr | ansible.utils.ipaddr('address') }}" gate_addr: "{{ gate_addr_cidr | ansible.utils.ipaddr('address') }}" -gate_wifi_addr: - "{{ gate_wifi_addr_cidr | ansible.utils.ipaddr('address') }}" +gate_wild_addr: + "{{ gate_wild_addr_cidr | ansible.utils.ipaddr('address') }}" wifi_wan_addr: "{{ wifi_wan_addr_cidr | ansible.utils.ipaddr('address') }}" front_private_addr: @@ -1140,9 +1136,9 @@ interfaces. 1. ~lan~ is its main Ethernet interface, connected to the campus's private Ethernet switch. - 2. ~wifi~ is its second Ethernet interface, connected to the campus - Wi-Fi access point's WAN Ethernet interface (with a cross-over - cable). + 2. ~wild~ is its second Ethernet interface, connected to the + untrusted network of campus IoT appliances and Wi-Fi access + point(s). 3. ~isp~ is its third network interface, connected to the campus ISP. This could be an Ethernet device connected to a cable modem. It could be a USB port tethered to a phone, a @@ -1182,7 +1178,8 @@ following topology. #+END_EXAMPLE #+CAPTION: A small institute using its ISP's Wi-Fi access point. -In this case Gate has two interfaces and there is no Gate-WiFi subnet. +In this case Gate has two interfaces and there is no wild subnet +other than the Internets themselves. Support for this "alternate" topology is planned but /not/ yet implemented. Like the original topology, it should require no @@ -1267,7 +1264,7 @@ generated by the random subnet address picking procedure described in Gate was also connected to the USB Ethernet dongles cabled to the campus Wi-Fi access point and the campus ISP. The three network adapters are known by their MAC addresses, the values of the variables -~gate_lan_mac~, ~gate_wifi_mac~, and ~gate_isp_mac~. (For more +~gate_lan_mac~, ~gate_wild_mac~, and ~gate_isp_mac~. (For more information, see the Gate role's [[netplan-gate][Configure Netplan]] task.) At this point Gate was ready for provisioning with Ansible. @@ -2549,8 +2546,9 @@ The example configuration file, [[file:private/core-dhcpd.conf][=private/core-dh RFC3442's extension to encode a second (non-default) static route. The default route is through the campus ISP at Gate. A second route directs campus traffic to the Front VPN through Core. This is just an -example file. The administrator adds and removes actual machines from -the actual [[file:private/core-dhcpd.conf][=private/core-dhcpd.conf=]] file. +example file, with MAC addresses chosen to (probably?) match +VirtualBox test machines. In actual use =private/core-dhcpd.conf= +refers to a replacement file. #+CAPTION: [[file:private/core-dhcpd.conf][=private/core-dhcpd.conf=]] #+BEGIN_SRC conf :tangle private/core-dhcpd.conf :tangle-mode u=rw @@ -2584,8 +2582,8 @@ host server { hardware ethernet 08:00:27:f3:41:66; fixed-address 192.168.56.3; } #+END_SRC -The following tasks install the ISC's DHCP server and configure it -with the real [[file:private/core-dhcpd.conf][=private/core-dhcpd.conf=]] (/not/ the example above). +The following tasks install ISC's DHCP server and configure it with +the real [[file:private/core-dhcpd.conf][=private/core-dhcpd.conf=]] (/not/ the example above). #+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml @@ -2694,9 +2692,9 @@ probably be used as forwarders rather than Google. #+BEGIN_SRC conf acl "trusted" { {{ private_net_cidr }}; + {{ wild_net_cidr }}; {{ public_vpn_net_cidr }}; {{ campus_vpn_net_cidr }}; - {{ gate_wifi_net_cidr }}; localhost; }; @@ -4686,19 +4684,19 @@ run before the next backup. * The Gate Role -The ~gate~ role configures the services expected at the campus gate: a -VPN into the campus network via a campus Wi-Fi access point, and -Internet access via NAT to the Internet. The gate machine uses -three network interfaces (see [[*The Gate Machine][The Gate Machine]]) configured with -persistent names used in its firewall rules. +The ~gate~ role configures the services expected at the campus gate: +access to the private Ethernet from the untrusted Ethernet (e.g. a +campus Wi-Fi AP) via VPN, and access to the Internet via NAT. The +gate machine uses three network interfaces (see [[*The Gate Machine][The Gate Machine]]) +configured with persistent names used in its firewall rules. - ~lan~ :: The campus Ethernet. - - ~wifi~ :: The campus Wi-Fi AP. + - ~wild~ :: The campus IoT (Wi-Fi APs). - ~isp~ :: The campus ISP. -Requiring a VPN to access the campus network from the campus Wi-Fi -bolsters the native Wi-Fi encryption and frustrates non-RYF ([[https://ryf.fsf.org][Respects -Your Freedom]]) wireless equipment. +Requiring a VPN to access the campus network from the untrusted +Ethernet (a campus Wi-Fi AP) bolsters the native Wi-Fi encryption and +frustrates non-RYF ([[https://ryf.fsf.org][Respects Your Freedom]]) wireless equipment. Gate is also a campus machine, so the more generic ~campus~ role is applied first, by which Gate gets a campus machine's DNS and Postfix @@ -4726,7 +4724,7 @@ The following should be familiar boilerplate by now. Gate's network interfaces are configured using Netplan and two files. =/etc/netplan/60-gate.yaml= describes the static interfaces, to the -campus Ethernet and WiFi. =/etc/netplan/60-isp.yaml= is expected to +campus Ethernet and Wi-Fi. =/etc/netplan/60-isp.yaml= is expected to be revised more frequently as the campus ISP changes. Netplan is configured to identify the interfaces by their MAC @@ -4736,8 +4734,8 @@ example code here. #+CAPTION: [[file:private/vars.yml][=private/vars.yml=]] #+BEGIN_SRC conf :tangle private/vars.yml gate_lan_mac: 08:00:27:f3:16:79 +gate_wild_mac: 08:00:27:4a:de:d2 gate_isp_mac: 08:00:27:3d:42:e5 -gate_wifi_mac: 08:00:27:4a:de:d2 #+END_SRC The following tasks install the two configuration files and apply the @@ -4768,11 +4766,11 @@ new network plan. routes: - to: {{ public_vpn_net_cidr }} via: {{ core_addr }} - wifi: + wild: match: - macaddress: {{ gate_wifi_mac }} - addresses: [ {{ gate_wifi_addr_cidr }} ] - set-name: wifi + macaddress: {{ gate_wild_mac }} + addresses: [ {{ gate_wild_addr_cidr }} ] + set-name: wild dhcp4: false dest: /etc/netplan/60-gate.yaml mode: u=rw,g=r,o= @@ -4824,21 +4822,21 @@ in =/etc/ufw/sysctl.conf=. NAT is enabled per the ~ufw-framework(8)~ manual page, by introducing ~nat~ table rules in a block at the end of =/etc/ufw/before.rules=. They translate packets going to the ISP. These can come from the -private Ethernet or campus Wi-Fi. Hosts on the other institute -networks (the two VPNs) should not be routing their Internet traffic -through their VPN. +private Ethernet or the untrusted Ethernet (campus IoT, including +Wi-Fi APs). Hosts on the other institute networks (the two VPNs) +should not be routing their Internet traffic through their VPN. #+NAME: ufw-nat #+CAPTION: ~ufw-nat~ #+BEGIN_SRC conf --A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE --A POSTROUTING -s {{ gate_wifi_net_cidr }} -o isp -j MASQUERADE +-A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE +-A POSTROUTING -s {{ wild_net_cidr }} -o isp -j MASQUERADE #+END_SRC Forwarding rules are also needed. The ~nat~ table is a /post/ routing rule set, so the default routing policy (~DENY~) will drop packets before NAT can translate them. The following rules are added to allow -packets to be forwarded from the campus Ethernet or Gate-WiFi subnet +packets to be forwarded from the campus Ethernet or its wild subnet to an ISP on the ~isp~ interface, and back (if related to an outgoing packet). @@ -4846,9 +4844,9 @@ packet). #+CAPTION: ~ufw-forward-nat~ #+BEGIN_SRC conf -A FORWARD -i lan -o isp -j ACCEPT --A FORWARD -i wifi -o isp -j ACCEPT +-A FORWARD -i wild -o isp -j ACCEPT -A FORWARD -i isp -o lan {{ ACCEPT_RELATED }} --A FORWARD -i isp -o wifi {{ ACCEPT_RELATED }} +-A FORWARD -i isp -o wild {{ ACCEPT_RELATED }} #+END_SRC To keep the above code lines short, the template references an @@ -4875,7 +4873,7 @@ public and campus VPNs is also allowed. #+END_SRC Note that there are no forwarding rules to allow packets to pass from -the ~wifi~ device to the ~lan~ device, just the ~ovpn~ device. +the ~wild~ device to the ~lan~ device, just the ~ovpn~ device. ** Install UFW @@ -4888,7 +4886,7 @@ new-gate~, enabling the firewall could break Ansible's current and future ssh sessions. For this reason, Ansible /does not/ enable the firewall. The administrator must login and execute the following command after Gate is configured or new gate is "in position" -(connected to old Gate's ~wifi~ and ~isp~ networks). +(connected to old Gate's ~wild~ and ~isp~ networks). : sudo ufw enable @@ -4932,43 +4930,54 @@ command after Gate is configured or new gate is "in position" insertafter: EOF #+END_SRC -** Configure DHCP For The Gate-WiFi Ethernet - -To accommodate commodity Wi-Fi access points without re-configuring -them, the institute attempts to look like an up-link, an ISP, e.g. a -cable modem. Thus it expects the wireless AP to route non-local -traffic out its WAN Ethernet port, and to get an IP address for the -WAN port using DHCP. Thus Gate runs ISC's DHCP daemon configured to -listen on one network interface, recognize exactly one client host, -and provide that one client with an IP address and customary network -parameters (default route, time server, etc.). +** Configure DHCP For The Wild Ethernet + +To accommodate commodity Wi-Fi access points, as well as wired IoT +appliances, without re-configuring them, the institute attempts to +look like an up-link, an ISP, e.g. a cable modem (aka "router"). It +expects a wireless AP (or IoT appliance) to route non-local traffic +out its WAN (or only) Ethernet port, and to get an IP address for that +port using DHCP. Thus Gate runs ISC's DHCP daemon configured to +listen on one network interface, recognize a specific list of clients, +and provide each with an IP address and customary network parameters +(default route, time server, etc.), much as was done on Core for the +private Ethernet. + +The example configuration file, [[file:private/gate-dhcpd.conf][=private/gate-dhcpd.conf=]], unlike +[[file:private/core-dhcpd.conf][=private/core-dhcpd.conf=]], does not need RFC3442 (Classless static +routes). The wild, wired or wireless IoT need know nothing about the +private network(s). This is just an example file, with a MAC address +chosen to (probably?) match a VirtualBox test machine. In actual use +=private/core-dhcpd.conf= refers to a replacement file. + +#+CAPTION: [[file:private/gate-dhcpd.conf][=private/gate-dhcpd.conf=]] +#+BEGIN_SRC conf :tangle private/gate-dhcpd.conf :tangle-mode u=rw +default-lease-time 3600; +max-lease-time 7200; -Two Ansible variables are needed to configure Gate's DHCP service, -specifically the sole subnet host: ~wifi_wan_name~ is any word -appropriate for identifying the Wi-Fi AP, and ~wifi_wan_mac~ is the -AP's MAC address. +ddns-update-style none; -#+CAPTION: [[file:private/vars.yml][=private/vars.yml=]] -#+BEGIN_SRC conf :tangle private/vars.yml -wifi_wan_mac: 94:83:c4:19:7d:57 -wifi_wan_name: campus-wifi-ap -#+END_SRC +authoritative; -If Gate is configured with ~./abbey config gate~ and then connected to -actual networks (i.e. /not/ rebooted), the following command is -executed. If a new gate was configured with ~./abbey config new-gate~ -and not rebooted, the following command would also be executed. +log-facility daemon; -: sudo systemctl start isc-dhcp-server +subnet 192.168.57.0 netmask 255.255.255.0 { + option subnet-mask 255.255.255.0; + option broadcast-address 192.168.57.255; + option routers 192.168.57.1; +} -If physically moved or rebooted for some other reason, the above -command would not be necessary. +host campus-wifi-ap { + hardware ethernet 94:83:c4:19:7d:57; + fixed-address 192.168.57.2; +} +#+END_SRC Installation and configuration of the DHCP daemon follows. Note that -the daemon listens /only/ on the Gate-WiFi network interface. Also -note the drop-in ~Requires~ dependency, without which the DHCP server -intermittently fails, finding the ~wifi~ interface has no IPv4 -addresses (or perhaps finding no ~wifi~ interface at all?). +the daemon listens /only/ on the ~wild~ network interface. Also note +the drop-in ~Requires~ dependency, without which the DHCP server +intermittently fails, finding the ~wild~ interface has no IPv4 +addresses (or perhaps finding no ~wild~ interface at all?). #+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml @@ -4981,10 +4990,17 @@ addresses (or perhaps finding no ~wifi~ interface at all?). become: yes lineinfile: path: /etc/default/isc-dhcp-server - line: INTERFACESv4="wifi" + line: INTERFACESv4="wild" regexp: ^INTERFACESv4= notify: Restart DHCP server. +- name: Configure DHCP subnet. + become: yes + copy: + src: ../private/gate-dhcpd.conf + dest: /etc/dhcp/dhcpd.conf + notify: Restart DHCP server. + - name: Configure DHCP server dependence on interface. become: yes copy: @@ -4994,34 +5010,12 @@ addresses (or perhaps finding no ~wifi~ interface at all?). dest: /etc/systemd/system/isc-dhcp-server.service.d/depend.conf notify: Reload Systemd. -- name: Configure DHCP for WiFiAP service. - become: yes - copy: - content: | - default-lease-time 3600; - max-lease-time 7200; - ddns-update-style none; - authoritative; - log-facility daemon; - - subnet {{ gate_wifi_net }} netmask {{ gate_wifi_net_mask }} { - option subnet-mask {{ gate_wifi_net_mask }}; - option broadcast-address {{ gate_wifi_broadcast }}; - option routers {{ gate_wifi_addr }}; - } - - host {{ wifi_wan_name }} { - hardware ethernet {{ wifi_wan_mac }}; - fixed-address {{ wifi_wan_addr }}; - } - dest: /etc/dhcp/dhcpd.conf - notify: Restart DHCP server. - -- name: Enable DHCP server. +- name: Enable/Start DHCP server. become: yes systemd: service: isc-dhcp-server enabled: yes + state: started #+END_SRC #+CAPTION: [[file:roles_t/gate/handlers/main.yml][=roles_t/gate/handlers/main.yml=]] @@ -5039,6 +5033,16 @@ addresses (or perhaps finding no ~wifi~ interface at all?). daemon-reload: yes #+END_SRC +If Gate is configured with ~./abbey config gate~ and then connected to +actual networks (i.e. /not/ rebooted), the following command is +executed. If a new gate was configured with ~./abbey config new-gate~ +and not rebooted, the following command would also be executed. + +: sudo systemctl start isc-dhcp-server + +If physically moved or rebooted for some other reason, the above +command would not be necessary. + ** Install Server Certificate The (OpenVPN) server on Gate uses an institute certificate (and key) @@ -5787,7 +5791,7 @@ sub mysystem (@) { mysystem "ansible-playbook playbooks/check-inst-vars.yml >/dev/null"; -our ($domain_name, $domain_priv, $front_addr, $gate_wifi_addr); +our ($domain_name, $domain_priv, $front_addr, $gate_wild_addr); do "./private/vars.pl"; #+END_SRC @@ -5805,7 +5809,7 @@ The playbook that updates [[file:private/vars.pl][=private/vars.pl=]]: $domain_name = "{{ domain_name }}"; $domain_priv = "{{ domain_priv }}"; $front_addr = "{{ front_addr }}"; - $gate_wifi_addr = "{{ gate_wifi_addr }}"; + $gate_wild_addr = "{{ gate_wild_addr }}"; dest: ../private/vars.pl mode: u=rw,g=,o= #+END_SRC @@ -6653,7 +6657,7 @@ if (defined $ARGV[0] && $ARGV[0] eq "client") { print "Wrote public VPN configuration to public.ovpn.\n"; } my $TC = read_file "Secret/gate-shared.key"; - write_template ($DEV,$UP,$CA,$CRT,$KEY,$TC, $gate_wifi_addr, + write_template ($DEV,$UP,$CA,$CRT,$KEY,$TC, $gate_wild_addr, "gate.$domain_priv", "campus.ovpn"); print "Wrote campus VPN configuration to campus.ovpn.\n"; @@ -6714,12 +6718,13 @@ The example files in this document, [[file:ansible.cfg][=ansible.cfg=]] and [[fi as those in [[file:public/][=public/=]] and [[file:private/][=private/=]], along with the matching EasyRSA certificate authority and GnuPG key-ring in [[file:Secret/][=Secret/=]] (included in the distribution), can be used to configure three VirtualBox VMs -simulating Core, Gate and Front in test networks simulating a campus -Ethernet, Wi-Fi, ISP, and a commercial cloud. With the test networks -up and running, a simulated member's notebook can be created and -alternately attached to the simulated campus Wi-Fi or the Internet (as -though abroad). The administrator's notebook in this simulation is -the VirtualBox host. +simulating Core, Gate and Front in test networks simulating a private +Ethernet, an untrusted Ethernet, the campus ISP, and a commercial +cloud. With the test networks up and running, a simulated member's +notebook can be created and alternately attached to the untrusted +Ethernet (as though it were on the campus Wi-Fi) or the Internet (as +though it were abroad). The administrator's notebook in this +simulation is the VirtualBox host. The next two sections list the steps taken to create the simulated Core, Gate and Front machines, and connect them to their networks. @@ -6750,8 +6755,8 @@ The networks used in the test: machine at ~192.168.56.10~ pretending to be the administrator's notebook. -- ~vboxnet1~ :: Another Host-only network, simulating the tiny - Ethernet between Gate and the campus Wi-Fi access point. It has no +- ~vboxnet1~ :: Another Host-only network, simulating the untrusted + Ethernet between Gate and the campus IoT (and Wi-Fi APs). It has no services, no DHCP, just the host at ~192.168.57.2~, simulating the NATed Wi-Fi network. @@ -6965,7 +6970,7 @@ defaults, listed below, are fine. ~gate~ can then move to the campus. It is shut down before the following ~VBoxManage~ commands are executed. The commands disconnect the primary Ethernet interface from ~premises~ and connect it to -~vboxnet0~. They also create two new interfaces, ~isp~ and ~wifi~, +~vboxnet0~. They also create two new interfaces, ~isp~ and ~wild~, connected to the simulated ISP and campus wireless access point. #+BEGIN_SRC sh @@ -6984,7 +6989,7 @@ values of the MAC address variables in this table. |----------+------------+-----------------+----------------------| | ~enp0s3~ | ~vboxnet0~ | campus Ethernet | ~gate_lan_mac~ | | ~enp0s8~ | ~premises~ | campus ISP | ~gate_isp_mac~ | -| ~enp0s9~ | ~vboxnet1~ | campus wireless | ~gate_wifi_mac~ | +| ~enp0s9~ | ~vboxnet1~ | campus IoT | ~gate_wild_mac~ | After ~gate~ boots up with its new network interfaces, the primary Ethernet interface is temporarily configured with an IP address. diff --git a/inst b/inst index d0e2ab2..6a2e8f2 100755 --- a/inst +++ b/inst @@ -58,7 +58,7 @@ sub mysystem (@) { mysystem "ansible-playbook playbooks/check-inst-vars.yml >/dev/null"; -our ($domain_name, $domain_priv, $front_addr, $gate_wifi_addr); +our ($domain_name, $domain_priv, $front_addr, $gate_wild_addr); do "./private/vars.pl"; if (defined $ARGV[0] && $ARGV[0] eq "CA") { @@ -427,7 +427,7 @@ up-restart"; print "Wrote public VPN configuration to public.ovpn.\n"; } my $TC = read_file "Secret/gate-shared.key"; - write_template ($DEV,$UP,$CA,$CRT,$KEY,$TC, $gate_wifi_addr, + write_template ($DEV,$UP,$CA,$CRT,$KEY,$TC, $gate_wild_addr, "gate.$domain_priv", "campus.ovpn"); print "Wrote campus VPN configuration to campus.ovpn.\n"; diff --git a/playbooks/check-inst-vars.yml b/playbooks/check-inst-vars.yml index ff1511b..a3215e9 100644 --- a/playbooks/check-inst-vars.yml +++ b/playbooks/check-inst-vars.yml @@ -8,6 +8,6 @@ $domain_name = "{{ domain_name }}"; $domain_priv = "{{ domain_priv }}"; $front_addr = "{{ front_addr }}"; - $gate_wifi_addr = "{{ gate_wifi_addr }}"; + $gate_wild_addr = "{{ gate_wild_addr }}"; dest: ../private/vars.pl mode: u=rw,g=,o= diff --git a/private/gate-dhcpd.conf b/private/gate-dhcpd.conf new file mode 100644 index 0000000..1b115bd --- /dev/null +++ b/private/gate-dhcpd.conf @@ -0,0 +1,19 @@ +default-lease-time 3600; +max-lease-time 7200; + +ddns-update-style none; + +authoritative; + +log-facility daemon; + +subnet 192.168.57.0 netmask 255.255.255.0 { + option subnet-mask 255.255.255.0; + option broadcast-address 192.168.57.255; + option routers 192.168.57.1; +} + +host campus-wifi-ap { + hardware ethernet 94:83:c4:19:7d:57; + fixed-address 192.168.57.2; +} diff --git a/private/vars.yml b/private/vars.yml index f68ae8d..1f493df 100644 --- a/private/vars.yml +++ b/private/vars.yml @@ -2,16 +2,15 @@ domain_priv: small.private private_net_cidr: 192.168.56.0/24 +wild_net_cidr: 192.168.57.0/24 public_vpn_net_cidr: 10.177.86.0/24 campus_vpn_net_cidr: 10.84.138.0/24 -gate_wifi_net_cidr: 192.168.57.0/24 private_net: "{{ private_net_cidr | ansible.utils.ipaddr('network') }}" private_net_mask: "{{ private_net_cidr | ansible.utils.ipaddr('netmask') }}" -private_net_and_mask: - "{{ private_net }} {{ private_net_mask }}" +private_net_and_mask: "{{ private_net }} {{ private_net_mask }}" public_vpn_net: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('network') }}" public_vpn_net_mask: @@ -24,28 +23,25 @@ campus_vpn_net_mask: "{{ campus_vpn_net_cidr | ansible.utils.ipaddr('netmask') }}" campus_vpn_net_and_mask: "{{ campus_vpn_net }} {{ campus_vpn_net_mask }}" -gate_wifi_net: - "{{ gate_wifi_net_cidr | ansible.utils.ipaddr('network') }}" -gate_wifi_net_mask: - "{{ gate_wifi_net_cidr | ansible.utils.ipaddr('netmask') }}" -gate_wifi_net_and_mask: - "{{ gate_wifi_net }} {{ gate_wifi_net_mask }}" -gate_wifi_broadcast: - "{{ gate_wifi_net_cidr | ansible.utils.ipaddr('broadcast') }}" +wild_net: "{{ wild_net_cidr | ansible.utils.ipaddr('network') }}" +wild_net_mask: + "{{ wild_net_cidr | ansible.utils.ipaddr('netmask') }}" +wild_net_and_mask: "{{ wild_net }} {{ wild_net_mask }}" +wild_net_broadcast: + "{{ wild_net_cidr | ansible.utils.ipaddr('broadcast') }}" core_addr_cidr: "{{ private_net_cidr | ansible.utils.ipaddr('1') }}" gate_addr_cidr: "{{ private_net_cidr | ansible.utils.ipaddr('2') }}" -gate_wifi_addr_cidr: - "{{ gate_wifi_net_cidr | ansible.utils.ipaddr('1') }}" -wifi_wan_addr_cidr: - "{{ gate_wifi_net_cidr | ansible.utils.ipaddr('2') }}" +gate_wild_addr_cidr: + "{{ wild_net_cidr | ansible.utils.ipaddr('1') }}" +wifi_wan_addr_cidr: "{{ wild_net_cidr | ansible.utils.ipaddr('2') }}" front_private_addr_cidr: "{{ public_vpn_net_cidr | ansible.utils.ipaddr('1') }}" core_addr: "{{ core_addr_cidr | ansible.utils.ipaddr('address') }}" gate_addr: "{{ gate_addr_cidr | ansible.utils.ipaddr('address') }}" -gate_wifi_addr: - "{{ gate_wifi_addr_cidr | ansible.utils.ipaddr('address') }}" +gate_wild_addr: + "{{ gate_wild_addr_cidr | ansible.utils.ipaddr('address') }}" wifi_wan_addr: "{{ wifi_wan_addr_cidr | ansible.utils.ipaddr('address') }}" front_private_addr: @@ -58,11 +54,8 @@ nextcloud_dbpass: ippAgmaygyob nextcloud_region: US gate_lan_mac: 08:00:27:f3:16:79 +gate_wild_mac: 08:00:27:4a:de:d2 gate_isp_mac: 08:00:27:3d:42:e5 -gate_wifi_mac: 08:00:27:4a:de:d2 - -wifi_wan_mac: 94:83:c4:19:7d:57 -wifi_wan_name: campus-wifi-ap membership_rolls: - "../private/members.yml" diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index c44a9b3..8110f1f 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -93,9 +93,9 @@ content: | acl "trusted" { {{ private_net_cidr }}; + {{ wild_net_cidr }}; {{ public_vpn_net_cidr }}; {{ campus_vpn_net_cidr }}; - {{ gate_wifi_net_cidr }}; localhost; }; diff --git a/roles_t/gate/tasks/main.yml b/roles_t/gate/tasks/main.yml index db95047..c6521f0 100644 --- a/roles_t/gate/tasks/main.yml +++ b/roles_t/gate/tasks/main.yml @@ -31,11 +31,11 @@ routes: - to: {{ public_vpn_net_cidr }} via: {{ core_addr }} - wifi: + wild: match: - macaddress: {{ gate_wifi_mac }} - addresses: [ {{ gate_wifi_addr_cidr }} ] - set-name: wifi + macaddress: {{ gate_wild_mac }} + addresses: [ {{ gate_wild_addr_cidr }} ] + set-name: wild dhcp4: false dest: /etc/netplan/60-gate.yaml mode: u=rw,g=r,o= @@ -86,15 +86,15 @@ block: | *nat :POSTROUTING ACCEPT [0:0] - -A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE - -A POSTROUTING -s {{ gate_wifi_net_cidr }} -o isp -j MASQUERADE + -A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE + -A POSTROUTING -s {{ wild_net_cidr }} -o isp -j MASQUERADE COMMIT *filter -A FORWARD -i lan -o isp -j ACCEPT - -A FORWARD -i wifi -o isp -j ACCEPT + -A FORWARD -i wild -o isp -j ACCEPT -A FORWARD -i isp -o lan {{ ACCEPT_RELATED }} - -A FORWARD -i isp -o wifi {{ ACCEPT_RELATED }} + -A FORWARD -i isp -o wild {{ ACCEPT_RELATED }} -A FORWARD -i lan -o ovpn -j ACCEPT -A FORWARD -i ovpn -o lan -j ACCEPT COMMIT @@ -108,10 +108,17 @@ become: yes lineinfile: path: /etc/default/isc-dhcp-server - line: INTERFACESv4="wifi" + line: INTERFACESv4="wild" regexp: ^INTERFACESv4= notify: Restart DHCP server. +- name: Configure DHCP subnet. + become: yes + copy: + src: ../private/gate-dhcpd.conf + dest: /etc/dhcp/dhcpd.conf + notify: Restart DHCP server. + - name: Configure DHCP server dependence on interface. become: yes copy: @@ -121,34 +128,12 @@ dest: /etc/systemd/system/isc-dhcp-server.service.d/depend.conf notify: Reload Systemd. -- name: Configure DHCP for WiFiAP service. - become: yes - copy: - content: | - default-lease-time 3600; - max-lease-time 7200; - ddns-update-style none; - authoritative; - log-facility daemon; - - subnet {{ gate_wifi_net }} netmask {{ gate_wifi_net_mask }} { - option subnet-mask {{ gate_wifi_net_mask }}; - option broadcast-address {{ gate_wifi_broadcast }}; - option routers {{ gate_wifi_addr }}; - } - - host {{ wifi_wan_name }} { - hardware ethernet {{ wifi_wan_mac }}; - fixed-address {{ wifi_wan_addr }}; - } - dest: /etc/dhcp/dhcpd.conf - notify: Restart DHCP server. - -- name: Enable DHCP server. +- name: Enable/Start DHCP server. become: yes systemd: service: isc-dhcp-server enabled: yes + state: started - name: Install server certificate/key. become: yes -- 2.25.1