re-building firewall rules.
This commit is contained in:
parent
b5b74b74cd
commit
47aa54672a
13 changed files with 880 additions and 1012 deletions
1
.envrc
Normal file
1
.envrc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
export SOPS_AGE_KEY_FILE=$(expand_path ~/.config/sops/age/vyos.agekey)
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -5,6 +5,7 @@
|
||||||
!.gitignore
|
!.gitignore
|
||||||
!.gitattributes
|
!.gitattributes
|
||||||
!.sops.yaml
|
!.sops.yaml
|
||||||
|
!.envrc
|
||||||
!apply-config.sh
|
!apply-config.sh
|
||||||
!secret.sops.env
|
!secret.sops.env
|
||||||
|
|
||||||
|
|
|
@ -1,21 +1,23 @@
|
||||||
#!/bin/vbash
|
#!/bin/vbash
|
||||||
# shellcheck shell=bash
|
# shellcheck shell=bash
|
||||||
# shellcheck source=/dev/null
|
# shellcheck source=/dev/null
|
||||||
dry_run=false
|
dry_run=true
|
||||||
|
|
||||||
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
|
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
|
||||||
exec sg vyattacfg -c "/bin/vbash $(readlink -f "$0") $@"
|
exec sg vyattacfg -c "/bin/vbash $(readlink -f "$0") $*"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
while getopts "d" options; do
|
while getopts "c" options; do
|
||||||
case "${options}" in
|
case "${options}" in
|
||||||
d)
|
# -c Commit changes - default is dry-run
|
||||||
dry_run=true
|
c)
|
||||||
;;
|
echo 'Will commit changes'
|
||||||
*)
|
dry_run=false
|
||||||
echo 'error in command line parsing' >&2
|
;;
|
||||||
exit 1
|
*)
|
||||||
;;
|
echo 'error in command line parsing' >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -24,15 +26,39 @@ if [ -f "/config/secrets.sops.env" ]; then
|
||||||
export SOPS_AGE_KEY_FILE=/config/secrets/age.key
|
export SOPS_AGE_KEY_FILE=/config/secrets/age.key
|
||||||
|
|
||||||
mapfile environmentAsArray < <(
|
mapfile environmentAsArray < <(
|
||||||
sops --decrypt "/config/secrets.sops.env" \
|
sops --decrypt "/config/secrets.sops.env" |
|
||||||
| grep --invert-match '^#' \
|
grep --invert-match '^#' |
|
||||||
| grep --invert-match '^\s*$'
|
grep --invert-match '^\s*$'
|
||||||
) # Uses grep to remove commented and blank lines
|
) # Uses grep to remove commented and blank lines
|
||||||
for variableDeclaration in "${environmentAsArray[@]}"; do
|
for variableDeclaration in "${environmentAsArray[@]}"; do
|
||||||
export "${variableDeclaration//[$'\r\n']}" # The substitution removes the line breaks
|
export "${variableDeclaration//[$'\r\n']/}" # The substitution removes the line breaks
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Apply environment to container (configuration) files
|
||||||
|
restart_containers=""
|
||||||
|
while IFS= read -r -d '' file
|
||||||
|
do
|
||||||
|
cfgfile="${file%.tmpl}"
|
||||||
|
|
||||||
|
shafile=$file.sha256
|
||||||
|
if ! test -e "$shafile"; then
|
||||||
|
echo "rebuild" >"$shafile"
|
||||||
|
fi
|
||||||
|
|
||||||
|
newsha=$(envsubst <"$file" | shasum -a 256 | awk '{print $1}')
|
||||||
|
oldsha=$(cat "$shafile")
|
||||||
|
|
||||||
|
if ! test "$newsha" == "$oldsha"; then
|
||||||
|
echo "Configuration changed for $file"
|
||||||
|
if ! "$dry_run"; then
|
||||||
|
envsubst <"$file" >"$cfgfile"
|
||||||
|
echo "$newsha" >"$shafile"
|
||||||
|
restart_containers="$restart_containers $(echo "$file" | awk -F / '{print $1}')"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done < <(find containers -type f -name "*.tmpl" -print0)
|
||||||
|
|
||||||
# Include VyOS specific functions and aliases
|
# Include VyOS specific functions and aliases
|
||||||
source /opt/vyatta/etc/functions/script-template
|
source /opt/vyatta/etc/functions/script-template
|
||||||
|
|
||||||
|
@ -40,8 +66,7 @@ source /opt/vyatta/etc/functions/script-template
|
||||||
load /opt/vyatta/etc/config.boot.default
|
load /opt/vyatta/etc/config.boot.default
|
||||||
|
|
||||||
# Load all config files
|
# Load all config files
|
||||||
for f in /config/config-parts/*.sh
|
for f in /config/config-parts/*.sh; do
|
||||||
do
|
|
||||||
if [ -f "${f}" ]; then
|
if [ -f "${f}" ]; then
|
||||||
echo "Processing ${f}"
|
echo "Processing ${f}"
|
||||||
source "${f}"
|
source "${f}"
|
||||||
|
@ -53,12 +78,11 @@ if "$dry_run"; then
|
||||||
compare
|
compare
|
||||||
else
|
else
|
||||||
# Pull new container images
|
# Pull new container images
|
||||||
AVAILABLE_IMAGES=($(run show container image | awk '{ if ( NR > 1 ) { print $1 ":" $2} }'))
|
mapfile -t AVAILABLE_IMAGES < <(run show container image | awk '{ if ( NR > 1 ) { print $1 ":" $2} }')
|
||||||
CONFIG_IMAGES=($(sed -nr "s/set container name .* image '(.*)'/\1/p" /config/config-parts/* | uniq))
|
mapfile -t CONFIG_IMAGES < <(sed -nr "s/set container name .* image '(.*)'/\1/p" /config/config-parts/* | uniq)
|
||||||
|
|
||||||
for image in "${CONFIG_IMAGES[@]}"
|
for image in "${CONFIG_IMAGES[@]}"; do
|
||||||
do
|
if [[ ! " ${AVAILABLE_IMAGES[*]} " =~ \ ${image}\ ]]; then
|
||||||
if [[ ! " ${AVAILABLE_IMAGES[*]} " =~ " ${image} " ]]; then
|
|
||||||
echo "Pulling image ${image}"
|
echo "Pulling image ${image}"
|
||||||
run add container image "${image}"
|
run add container image "${image}"
|
||||||
fi
|
fi
|
||||||
|
@ -71,20 +95,25 @@ else
|
||||||
|
|
||||||
# Clean obsolete container images
|
# Clean obsolete container images
|
||||||
IFS=$'\n' read -rd '' -a AVAILABLE_IMAGES <<<"$(run show container image | tail -n +2)"
|
IFS=$'\n' read -rd '' -a AVAILABLE_IMAGES <<<"$(run show container image | tail -n +2)"
|
||||||
for image in "${AVAILABLE_IMAGES[@]}"
|
for image in "${AVAILABLE_IMAGES[@]}"; do
|
||||||
do
|
|
||||||
image_name=$(echo "${image}" | awk '{ print $1 }')
|
image_name=$(echo "${image}" | awk '{ print $1 }')
|
||||||
image_tag=$(echo "${image}" | awk '{ print $2 }')
|
image_tag=$(echo "${image}" | awk '{ print $2 }')
|
||||||
image_id=$(echo "${image}" | awk '{ print $3 }')
|
image_id=$(echo "${image}" | awk '{ print $3 }')
|
||||||
image_name_tag="${image_name}:${image_tag}"
|
image_name_tag="${image_name}:${image_tag}"
|
||||||
|
|
||||||
if [[ ! " ${CONFIG_IMAGES[*]} " =~ " ${image_name_tag} " ]]; then
|
if [[ ! " ${CONFIG_IMAGES[*]} " =~ \ ${image_name_tag}\ ]]; then
|
||||||
echo "Removing container ${image_name_tag}"
|
echo "Removing container ${image_name_tag}"
|
||||||
run delete container image "${image_id}"
|
run delete container image "${image_id}"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# Clean annoying overlay* folders
|
|
||||||
sudo find "/config" -name "overlay*" -type d -prune -exec rm -rf "{}" \;
|
# Restart containers
|
||||||
|
for container in $restart_containers; do
|
||||||
|
run restart container "$container"
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Clean annoying overlay* folders
|
||||||
|
sudo find "/config" -name "overlay*" -type d -prune -exec rm -rf "{}" \;
|
||||||
|
|
||||||
exit
|
exit
|
|
@ -3,19 +3,6 @@
|
||||||
# Container networks
|
# Container networks
|
||||||
set container network containers prefix '10.5.0.0/24'
|
set container network containers prefix '10.5.0.0/24'
|
||||||
|
|
||||||
# cloudflare-ddns
|
|
||||||
set container name cloudflare-ddns allow-host-networks
|
|
||||||
set container name cloudflare-ddns environment CF_API_TOKEN value "${SECRET_CLOUDFLARE_DYNDNS_TOKEN}"
|
|
||||||
set container name cloudflare-ddns environment DOMAINS value 'ipv4.jahanson.tech,ipv4.hsn.dev'
|
|
||||||
set container name cloudflare-ddns environment IP6_PROVIDER value "none"
|
|
||||||
set container name cloudflare-ddns environment TZ value 'America/Chicago'
|
|
||||||
set container name cloudflare-ddns environment PGID value "1000"
|
|
||||||
set container name cloudflare-ddns environment PUID value "1000"
|
|
||||||
set container name cloudflare-ddns image 'docker.io/favonia/cloudflare-ddns:1.9.4'
|
|
||||||
set container name cloudflare-ddns memory '0'
|
|
||||||
set container name cloudflare-ddns restart 'on-failure'
|
|
||||||
set container name cloudflare-ddns shared-memory '0'
|
|
||||||
|
|
||||||
# bind
|
# bind
|
||||||
set container name bind cap-add 'net-bind-service'
|
set container name bind cap-add 'net-bind-service'
|
||||||
set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19'
|
set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19'
|
||||||
|
@ -31,18 +18,6 @@ set container name bind volume cache source '/tmp/bind/cache'
|
||||||
set container name bind volume cache destination '/var/cache/bind'
|
set container name bind volume cache destination '/var/cache/bind'
|
||||||
set container name bind volume cache mode 'rw'
|
set container name bind volume cache mode 'rw'
|
||||||
|
|
||||||
# dnsdist
|
|
||||||
set container name dnsdist cap-add 'net-bind-service'
|
|
||||||
set container name dnsdist environment TZ value 'America/Chicago'
|
|
||||||
set container name dnsdist image 'docker.io/powerdns/dnsdist-17:1.7.4'
|
|
||||||
set container name dnsdist memory '0'
|
|
||||||
set container name dnsdist network containers address '10.5.0.4'
|
|
||||||
set container name dnsdist restart 'on-failure'
|
|
||||||
set container name dnsdist shared-memory '0'
|
|
||||||
set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf'
|
|
||||||
set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf'
|
|
||||||
set container name dnsdist volume config mode 'ro'
|
|
||||||
|
|
||||||
# haproxy-k8s-api
|
# haproxy-k8s-api
|
||||||
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.8.1'
|
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.8.1'
|
||||||
set container name haproxy-k8s-api memory '0'
|
set container name haproxy-k8s-api memory '0'
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -1,41 +1,8 @@
|
||||||
#!/bin/vbash
|
#!/bin/vbash
|
||||||
|
|
||||||
set firewall zone guest default-action 'drop'
|
# local
|
||||||
set firewall zone guest from iot firewall name 'iot-guest'
|
|
||||||
set firewall zone guest from lan firewall name 'lan-guest'
|
|
||||||
set firewall zone guest from local firewall name 'local-guest'
|
|
||||||
set firewall zone guest from servers firewall name 'servers-guest'
|
|
||||||
set firewall zone guest from containers firewall name 'containers-guest'
|
|
||||||
set firewall zone guest from trusted firewall name 'trusted-guest'
|
|
||||||
set firewall zone guest from video firewall name 'video-guest'
|
|
||||||
set firewall zone guest from wan firewall name 'wan-guest'
|
|
||||||
set firewall zone guest interface 'eth1.30'
|
|
||||||
|
|
||||||
set firewall zone iot default-action 'drop'
|
|
||||||
set firewall zone iot from guest firewall name 'guest-iot'
|
|
||||||
set firewall zone iot from lan firewall name 'lan-iot'
|
|
||||||
set firewall zone iot from local firewall name 'local-iot'
|
|
||||||
set firewall zone iot from servers firewall name 'servers-iot'
|
|
||||||
set firewall zone iot from containers firewall name 'containers-iot'
|
|
||||||
set firewall zone iot from trusted firewall name 'trusted-iot'
|
|
||||||
set firewall zone iot from video firewall name 'video-iot'
|
|
||||||
set firewall zone iot from wan firewall name 'wan-iot'
|
|
||||||
set firewall zone iot interface 'eth1.40'
|
|
||||||
|
|
||||||
set firewall zone lan default-action 'drop'
|
|
||||||
set firewall zone lan from guest firewall name 'guest-lan'
|
|
||||||
set firewall zone lan from iot firewall name 'iot-lan'
|
|
||||||
set firewall zone lan from local firewall name 'local-lan'
|
|
||||||
set firewall zone lan from servers firewall name 'servers-lan'
|
|
||||||
set firewall zone lan from containers firewall name 'containers-lan'
|
|
||||||
set firewall zone lan from trusted firewall name 'trusted-lan'
|
|
||||||
set firewall zone lan from video firewall name 'video-lan'
|
|
||||||
set firewall zone lan from wan firewall name 'wan-lan'
|
|
||||||
set firewall zone lan interface 'eth1'
|
|
||||||
|
|
||||||
set firewall zone local default-action 'drop'
|
set firewall zone local default-action 'drop'
|
||||||
set firewall zone local description 'Local router zone'
|
set firewall zone local description 'Local router zone'
|
||||||
set firewall zone local from guest firewall name 'guest-local'
|
|
||||||
set firewall zone local from iot firewall name 'iot-local'
|
set firewall zone local from iot firewall name 'iot-local'
|
||||||
set firewall zone local from lan firewall name 'lan-local'
|
set firewall zone local from lan firewall name 'lan-local'
|
||||||
set firewall zone local from servers firewall name 'servers-local'
|
set firewall zone local from servers firewall name 'servers-local'
|
||||||
|
@ -45,20 +12,30 @@ set firewall zone local from video firewall name 'video-local'
|
||||||
set firewall zone local from wan firewall name 'wan-local'
|
set firewall zone local from wan firewall name 'wan-local'
|
||||||
set firewall zone local local-zone
|
set firewall zone local local-zone
|
||||||
|
|
||||||
set firewall zone servers default-action 'drop'
|
# wan
|
||||||
set firewall zone servers from guest firewall name 'guest-servers'
|
set firewall zone wan from iot firewall name 'iot-wan'
|
||||||
set firewall zone servers from iot firewall name 'iot-servers'
|
set firewall zone wan from lan firewall name 'lan-wan'
|
||||||
set firewall zone servers from lan firewall name 'lan-servers'
|
set firewall zone wan from local firewall name 'local-wan'
|
||||||
set firewall zone servers from local firewall name 'local-servers'
|
set firewall zone wan from servers firewall name 'servers-wan'
|
||||||
set firewall zone servers from containers firewall name 'containers-servers'
|
set firewall zone wan from containers firewall name 'containers-wan'
|
||||||
set firewall zone servers from trusted firewall name 'trusted-servers'
|
set firewall zone wan from trusted firewall name 'trusted-wan'
|
||||||
set firewall zone servers from video firewall name 'video-servers'
|
set firewall zone wan from video firewall name 'video-wan'
|
||||||
set firewall zone servers from wan firewall name 'wan-servers'
|
set firewall zone wan interface 'eth0'
|
||||||
set firewall zone servers interface 'eth1.10'
|
|
||||||
|
|
||||||
|
# lan
|
||||||
|
set firewall zone lan default-action 'drop'
|
||||||
|
set firewall zone lan from iot firewall name 'iot-lan'
|
||||||
|
set firewall zone lan from local firewall name 'local-lan'
|
||||||
|
set firewall zone lan from servers firewall name 'servers-lan'
|
||||||
|
set firewall zone lan from containers firewall name 'containers-lan'
|
||||||
|
set firewall zone lan from trusted firewall name 'trusted-lan'
|
||||||
|
set firewall zone lan from video firewall name 'video-lan'
|
||||||
|
set firewall zone lan from wan firewall name 'wan-lan'
|
||||||
|
set firewall zone lan interface 'eth1'
|
||||||
|
|
||||||
|
# containers
|
||||||
set firewall zone containers default-action 'drop'
|
set firewall zone containers default-action 'drop'
|
||||||
set firewall zone containers description 'VyOS containers zone'
|
set firewall zone containers description 'VyOS containers zone'
|
||||||
set firewall zone containers from guest firewall name 'guest-containers'
|
|
||||||
set firewall zone containers from iot firewall name 'iot-containers'
|
set firewall zone containers from iot firewall name 'iot-containers'
|
||||||
set firewall zone containers from lan firewall name 'lan-containers'
|
set firewall zone containers from lan firewall name 'lan-containers'
|
||||||
set firewall zone containers from local firewall name 'local-containers'
|
set firewall zone containers from local firewall name 'local-containers'
|
||||||
|
@ -68,8 +45,19 @@ set firewall zone containers from video firewall name 'video-containers'
|
||||||
set firewall zone containers from wan firewall name 'wan-containers'
|
set firewall zone containers from wan firewall name 'wan-containers'
|
||||||
set firewall zone containers interface 'pod-containers'
|
set firewall zone containers interface 'pod-containers'
|
||||||
|
|
||||||
|
# servers
|
||||||
|
set firewall zone servers default-action 'drop'
|
||||||
|
set firewall zone servers from iot firewall name 'iot-servers'
|
||||||
|
set firewall zone servers from lan firewall name 'lan-servers'
|
||||||
|
set firewall zone servers from local firewall name 'local-servers'
|
||||||
|
set firewall zone servers from containers firewall name 'containers-servers'
|
||||||
|
set firewall zone servers from trusted firewall name 'trusted-servers'
|
||||||
|
set firewall zone servers from video firewall name 'video-servers'
|
||||||
|
set firewall zone servers from wan firewall name 'wan-servers'
|
||||||
|
set firewall zone servers interface 'eth1.10'
|
||||||
|
|
||||||
|
# trusted
|
||||||
set firewall zone trusted default-action 'drop'
|
set firewall zone trusted default-action 'drop'
|
||||||
set firewall zone trusted from guest firewall name 'guest-trusted'
|
|
||||||
set firewall zone trusted from iot firewall name 'iot-trusted'
|
set firewall zone trusted from iot firewall name 'iot-trusted'
|
||||||
set firewall zone trusted from lan firewall name 'lan-trusted'
|
set firewall zone trusted from lan firewall name 'lan-trusted'
|
||||||
set firewall zone trusted from local firewall name 'local-trusted'
|
set firewall zone trusted from local firewall name 'local-trusted'
|
||||||
|
@ -80,8 +68,19 @@ set firewall zone trusted from wan firewall name 'wan-trusted'
|
||||||
set firewall zone trusted interface 'eth1.20'
|
set firewall zone trusted interface 'eth1.20'
|
||||||
set firewall zone trusted interface 'wg01'
|
set firewall zone trusted interface 'wg01'
|
||||||
|
|
||||||
|
# iot
|
||||||
|
set firewall zone iot default-action 'drop'
|
||||||
|
set firewall zone iot from lan firewall name 'lan-iot'
|
||||||
|
set firewall zone iot from local firewall name 'local-iot'
|
||||||
|
set firewall zone iot from servers firewall name 'servers-iot'
|
||||||
|
set firewall zone iot from containers firewall name 'containers-iot'
|
||||||
|
set firewall zone iot from trusted firewall name 'trusted-iot'
|
||||||
|
set firewall zone iot from video firewall name 'video-iot'
|
||||||
|
set firewall zone iot from wan firewall name 'wan-iot'
|
||||||
|
set firewall zone iot interface 'eth1.30'
|
||||||
|
|
||||||
|
# video
|
||||||
set firewall zone video default-action 'drop'
|
set firewall zone video default-action 'drop'
|
||||||
set firewall zone video from guest firewall name 'guest-video'
|
|
||||||
set firewall zone video from iot firewall name 'iot-video'
|
set firewall zone video from iot firewall name 'iot-video'
|
||||||
set firewall zone video from lan firewall name 'lan-video'
|
set firewall zone video from lan firewall name 'lan-video'
|
||||||
set firewall zone video from local firewall name 'local-video'
|
set firewall zone video from local firewall name 'local-video'
|
||||||
|
@ -89,15 +88,5 @@ set firewall zone video from servers firewall name 'servers-video'
|
||||||
set firewall zone video from containers firewall name 'containers-video'
|
set firewall zone video from containers firewall name 'containers-video'
|
||||||
set firewall zone video from trusted firewall name 'trusted-video'
|
set firewall zone video from trusted firewall name 'trusted-video'
|
||||||
set firewall zone video from wan firewall name 'wan-video'
|
set firewall zone video from wan firewall name 'wan-video'
|
||||||
set firewall zone video interface 'eth1.50'
|
set firewall zone video interface 'eth1.40'
|
||||||
set firewall zone wan default-action 'drop'
|
set firewall zone wan default-action 'drop'
|
||||||
|
|
||||||
set firewall zone wan from guest firewall name 'guest-wan'
|
|
||||||
set firewall zone wan from iot firewall name 'iot-wan'
|
|
||||||
set firewall zone wan from lan firewall name 'lan-wan'
|
|
||||||
set firewall zone wan from local firewall name 'local-wan'
|
|
||||||
set firewall zone wan from servers firewall name 'servers-wan'
|
|
||||||
set firewall zone wan from containers firewall name 'containers-wan'
|
|
||||||
set firewall zone wan from trusted firewall name 'trusted-wan'
|
|
||||||
set firewall zone wan from video firewall name 'video-wan'
|
|
||||||
set firewall zone wan interface 'eth0'
|
|
||||||
|
|
|
@ -6,24 +6,6 @@ set firewall state-policy invalid action 'drop'
|
||||||
set firewall state-policy related action 'accept'
|
set firewall state-policy related action 'accept'
|
||||||
|
|
||||||
# Address Groups
|
# Address Groups
|
||||||
set firewall group address-group 3d_printer_controllers address '10.1.3.56'
|
|
||||||
|
|
||||||
set firewall group address-group android_tv_players address '10.1.3.16'
|
|
||||||
|
|
||||||
set firewall group address-group ereaders address '10.1.3.51'
|
|
||||||
set firewall group address-group ereaders address '10.1.3.52'
|
|
||||||
|
|
||||||
set firewall group address-group esp address '10.1.3.21'
|
|
||||||
set firewall group address-group esp address '10.1.3.31'
|
|
||||||
set firewall group address-group esp address '10.1.3.32'
|
|
||||||
set firewall group address-group esp address '10.1.3.33'
|
|
||||||
set firewall group address-group esp address '10.1.3.34'
|
|
||||||
set firewall group address-group esp address '10.1.3.35'
|
|
||||||
set firewall group address-group esp address '10.1.3.36'
|
|
||||||
set firewall group address-group esp address '10.1.3.42'
|
|
||||||
set firewall group address-group esp address '10.1.3.45'
|
|
||||||
set firewall group address-group esp address '10.1.3.46'
|
|
||||||
|
|
||||||
set firewall group address-group ios_devices address '10.1.2.31'
|
set firewall group address-group ios_devices address '10.1.2.31'
|
||||||
set firewall group address-group ios_devices address '10.1.2.32'
|
set firewall group address-group ios_devices address '10.1.2.32'
|
||||||
set firewall group address-group ios_devices address '10.1.2.33'
|
set firewall group address-group ios_devices address '10.1.2.33'
|
||||||
|
@ -31,24 +13,16 @@ set firewall group address-group ios_devices address '10.1.2.34'
|
||||||
set firewall group address-group ios_devices address '10.1.2.35'
|
set firewall group address-group ios_devices address '10.1.2.35'
|
||||||
set firewall group address-group ios_devices address '10.1.2.36'
|
set firewall group address-group ios_devices address '10.1.2.36'
|
||||||
|
|
||||||
set firewall group address-group jellyfin_clients address '10.1.2.21'
|
|
||||||
set firewall group address-group jellyfin_clients address '10.1.2.31'
|
|
||||||
set firewall group address-group jellyfin_clients address '10.1.2.32'
|
|
||||||
set firewall group address-group jellyfin_clients address '10.1.2.33'
|
|
||||||
set firewall group address-group jellyfin_clients address '10.1.2.34'
|
|
||||||
set firewall group address-group jellyfin_clients address '10.1.2.35'
|
|
||||||
set firewall group address-group jellyfin_clients address '10.1.2.36'
|
|
||||||
set firewall group address-group jellyfin_clients address '10.1.3.16'
|
|
||||||
|
|
||||||
set firewall group address-group k8s_api address '10.5.0.2'
|
set firewall group address-group k8s_api address '10.5.0.2'
|
||||||
|
|
||||||
|
# external nginx
|
||||||
set firewall group address-group k8s_ingress address '10.45.0.1'
|
set firewall group address-group k8s_ingress address '10.45.0.1'
|
||||||
|
# internal nginx
|
||||||
|
set firewall group address-group k8s_ingress address '10.45.0.3'
|
||||||
|
|
||||||
set firewall group address-group k8s_ingress_allowed address '10.1.3.35'
|
set firewall group address-group k8s_ingress_allowed address '10.1.3.35'
|
||||||
set firewall group address-group k8s_ingress_allowed address '10.1.3.36'
|
set firewall group address-group k8s_ingress_allowed address '10.1.3.36'
|
||||||
|
|
||||||
set firewall group address-group k8s_jellyfin address '10.45.0.21'
|
|
||||||
|
|
||||||
set firewall group address-group k8s_mqtt address '10.45.0.10'
|
set firewall group address-group k8s_mqtt address '10.45.0.10'
|
||||||
|
|
||||||
set firewall group address-group k8s_nodes address '10.1.1.41'
|
set firewall group address-group k8s_nodes address '10.1.1.41'
|
||||||
|
@ -92,8 +66,6 @@ set firewall group address-group printers address '10.1.3.55'
|
||||||
|
|
||||||
set firewall group address-group printer_allowed address '192.168.2.11'
|
set firewall group address-group printer_allowed address '192.168.2.11'
|
||||||
|
|
||||||
set firewall group address-group scanners address '10.1.3.55'
|
|
||||||
|
|
||||||
set firewall group address-group sonos_controllers address '10.1.2.21'
|
set firewall group address-group sonos_controllers address '10.1.2.21'
|
||||||
set firewall group address-group sonos_controllers address '10.1.2.31'
|
set firewall group address-group sonos_controllers address '10.1.2.31'
|
||||||
set firewall group address-group sonos_controllers address '10.1.2.32'
|
set firewall group address-group sonos_controllers address '10.1.2.32'
|
||||||
|
@ -101,12 +73,6 @@ set firewall group address-group sonos_controllers address '10.1.2.33'
|
||||||
set firewall group address-group sonos_controllers address '10.1.2.34'
|
set firewall group address-group sonos_controllers address '10.1.2.34'
|
||||||
set firewall group address-group sonos_controllers address '10.1.2.36'
|
set firewall group address-group sonos_controllers address '10.1.2.36'
|
||||||
|
|
||||||
set firewall group address-group sonos_players address '10.1.3.61'
|
|
||||||
set firewall group address-group sonos_players address '10.1.3.62'
|
|
||||||
set firewall group address-group sonos_players address '10.1.3.63'
|
|
||||||
set firewall group address-group sonos_players address '10.1.3.65'
|
|
||||||
set firewall group address-group sonos_players address '10.1.3.66'
|
|
||||||
|
|
||||||
set firewall group address-group sonos_players address '10.1.3.71'
|
set firewall group address-group sonos_players address '10.1.3.71'
|
||||||
set firewall group address-group sonos_players address '10.1.3.72'
|
set firewall group address-group sonos_players address '10.1.3.72'
|
||||||
set firewall group address-group sonos_players address '10.1.3.73'
|
set firewall group address-group sonos_players address '10.1.3.73'
|
||||||
|
@ -125,13 +91,8 @@ set firewall group address-group vector_journald_allowed address '10.1.3.60'
|
||||||
|
|
||||||
set firewall group address-group vyos_coredns address '10.5.0.3'
|
set firewall group address-group vyos_coredns address '10.5.0.3'
|
||||||
|
|
||||||
set firewall group address-group vyos_dnsdist address '10.5.0.4'
|
|
||||||
|
|
||||||
set firewall group address-group vyos_unifi address '10.5.0.10'
|
set firewall group address-group vyos_unifi address '10.5.0.10'
|
||||||
|
|
||||||
set firewall group address-group wall_displays address '10.1.3.53'
|
|
||||||
set firewall group address-group wall_displays address '10.1.3.54'
|
|
||||||
|
|
||||||
set firewall group network-group k8s_services network '10.45.0.0/16'
|
set firewall group network-group k8s_services network '10.45.0.0/16'
|
||||||
|
|
||||||
# Port groups
|
# Port groups
|
||||||
|
|
|
@ -11,12 +11,10 @@ set interfaces ethernet eth1 vif 10 address '10.1.1.1/24'
|
||||||
set interfaces ethernet eth1 vif 10 description 'SERVERS'
|
set interfaces ethernet eth1 vif 10 description 'SERVERS'
|
||||||
set interfaces ethernet eth1 vif 20 address '10.1.2.1/24'
|
set interfaces ethernet eth1 vif 20 address '10.1.2.1/24'
|
||||||
set interfaces ethernet eth1 vif 20 description 'TRUSTED'
|
set interfaces ethernet eth1 vif 20 description 'TRUSTED'
|
||||||
set interfaces ethernet eth1 vif 30 address '192.168.2.1/24'
|
set interfaces ethernet eth1 vif 30 address '10.1.3.1/24'
|
||||||
set interfaces ethernet eth1 vif 30 description 'GUEST'
|
set interfaces ethernet eth1 vif 30 description 'IOT'
|
||||||
set interfaces ethernet eth1 vif 40 address '10.1.3.1/24'
|
set interfaces ethernet eth1 vif 40 address '10.1.4.1/24'
|
||||||
set interfaces ethernet eth1 vif 40 description 'IOT'
|
set interfaces ethernet eth1 vif 40 description 'VIDEO'
|
||||||
set interfaces ethernet eth1 vif 50 address '10.1.4.1/24'
|
|
||||||
set interfaces ethernet eth1 vif 50 description 'VIDEO'
|
|
||||||
|
|
||||||
set interfaces wireguard wg01 address '10.0.11.1/24'
|
set interfaces wireguard wg01 address '10.0.11.1/24'
|
||||||
set interfaces wireguard wg01 description 'WIREGUARD'
|
set interfaces wireguard wg01 description 'WIREGUARD'
|
||||||
|
|
|
@ -10,19 +10,19 @@ set nat destination rule 110 translation port '32400'
|
||||||
|
|
||||||
# Force DNS
|
# Force DNS
|
||||||
set nat destination rule 102 description 'Force DNS for IoT'
|
set nat destination rule 102 description 'Force DNS for IoT'
|
||||||
set nat destination rule 102 destination address '!10.5.0.4'
|
set nat destination rule 102 destination address '!10.1.3.1'
|
||||||
set nat destination rule 102 destination port '53'
|
set nat destination rule 102 destination port '53'
|
||||||
set nat destination rule 102 inbound-interface 'eth1.40'
|
set nat destination rule 102 inbound-interface 'eth1.30'
|
||||||
set nat destination rule 102 protocol 'tcp_udp'
|
set nat destination rule 102 protocol 'tcp_udp'
|
||||||
set nat destination rule 102 translation address '10.5.0.4'
|
set nat destination rule 102 translation address '10.1.3.1'
|
||||||
set nat destination rule 102 translation port '53'
|
set nat destination rule 102 translation port '53'
|
||||||
|
|
||||||
set nat destination rule 103 description 'Force DNS for Video'
|
set nat destination rule 103 description 'Force DNS for Video'
|
||||||
set nat destination rule 103 destination address '!10.5.0.4'
|
set nat destination rule 103 destination address '!10.1.4.1'
|
||||||
set nat destination rule 103 destination port '53'
|
set nat destination rule 103 destination port '53'
|
||||||
set nat destination rule 103 inbound-interface 'eth1.50'
|
set nat destination rule 103 inbound-interface 'eth1.40'
|
||||||
set nat destination rule 103 protocol 'tcp_udp'
|
set nat destination rule 103 protocol 'tcp_udp'
|
||||||
set nat destination rule 103 translation address '10.5.0.4'
|
set nat destination rule 103 translation address '10.1.4.1'
|
||||||
set nat destination rule 103 translation port '53'
|
set nat destination rule 103 translation port '53'
|
||||||
|
|
||||||
set nat destination rule 104 description 'Force NTP for LAN'
|
set nat destination rule 104 description 'Force NTP for LAN'
|
||||||
|
@ -53,7 +53,7 @@ set nat destination rule 106 translation port '123'
|
||||||
set nat destination rule 107 description 'Force NTP for IoT'
|
set nat destination rule 107 description 'Force NTP for IoT'
|
||||||
set nat destination rule 107 destination address '!10.1.3.1'
|
set nat destination rule 107 destination address '!10.1.3.1'
|
||||||
set nat destination rule 107 destination port '123'
|
set nat destination rule 107 destination port '123'
|
||||||
set nat destination rule 107 inbound-interface 'eth1.40'
|
set nat destination rule 107 inbound-interface 'eth1.30'
|
||||||
set nat destination rule 107 protocol 'udp'
|
set nat destination rule 107 protocol 'udp'
|
||||||
set nat destination rule 107 translation address '10.1.3.1'
|
set nat destination rule 107 translation address '10.1.3.1'
|
||||||
set nat destination rule 107 translation port '123'
|
set nat destination rule 107 translation port '123'
|
||||||
|
@ -61,7 +61,7 @@ set nat destination rule 107 translation port '123'
|
||||||
set nat destination rule 108 description 'Force NTP for Video'
|
set nat destination rule 108 description 'Force NTP for Video'
|
||||||
set nat destination rule 108 destination address '!10.1.4.1'
|
set nat destination rule 108 destination address '!10.1.4.1'
|
||||||
set nat destination rule 108 destination port '123'
|
set nat destination rule 108 destination port '123'
|
||||||
set nat destination rule 108 inbound-interface 'eth1.50'
|
set nat destination rule 108 inbound-interface 'eth1.40'
|
||||||
set nat destination rule 108 protocol 'udp'
|
set nat destination rule 108 protocol 'udp'
|
||||||
set nat destination rule 108 translation address '10.1.4.1'
|
set nat destination rule 108 translation address '10.1.4.1'
|
||||||
set nat destination rule 108 translation port '123'
|
set nat destination rule 108 translation port '123'
|
||||||
|
|
|
@ -1,50 +1,5 @@
|
||||||
#!/bin/vbash
|
#!/bin/vbash
|
||||||
|
|
||||||
# Guest VLAN
|
|
||||||
set service dhcp-server shared-network-name GUEST authoritative
|
|
||||||
set service dhcp-server shared-network-name GUEST ping-check
|
|
||||||
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 default-router '192.168.2.1'
|
|
||||||
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 lease '86400'
|
|
||||||
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 name-server '10.5.0.4'
|
|
||||||
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 range 0 start '192.168.2.200'
|
|
||||||
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 range 0 stop '192.168.2.254'
|
|
||||||
|
|
||||||
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping manyie-work-laptop ip-address '192.168.2.11'
|
|
||||||
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping manyie-work-laptop mac-address '14:f6:d8:32:46:41'
|
|
||||||
|
|
||||||
# IoT VLAN
|
|
||||||
set service dhcp-server shared-network-name IOT authoritative
|
|
||||||
set service dhcp-server shared-network-name IOT ping-check
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 default-router '10.1.3.1'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 domain-name 'jahanson.tech'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 lease '86400'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 name-server '10.5.0.4'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 start '10.1.3.200'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 stop '10.1.3.254'
|
|
||||||
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven ip-address '10.1.3.12'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven mac-address '88:e7:12:2a:63:ca'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum ip-address '10.1.3.18'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum mac-address '50:14:79:08:db:08'
|
|
||||||
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 ip-address '10.1.3.33'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 mac-address 'A0:76:4E:21:DE:D0'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 ip-address '10.1.3.34'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 mac-address '34:85:18:0E:C7:CC'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 ip-address '10.1.3.35'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 mac-address '68:B6:B3:B3:EF:6C'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 ip-address '10.1.3.36'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 mac-address 'A0:76:4E:1F:D7:84'
|
|
||||||
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam ip-address '10.1.3.71'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam mac-address '54:2a:1b:8e:e0:3b'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 ip-address '10.1.3.72'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 mac-address '48:a6:b8:fa:62:0e'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 ip-address '10.1.3.73'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 mac-address '48:a6:b8:fa:64:a6'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 ip-address '10.1.3.74'
|
|
||||||
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 mac-address '48:a6:b8:48:a8:e5'
|
|
||||||
|
|
||||||
# LAN
|
# LAN
|
||||||
set service dhcp-server shared-network-name LAN authoritative
|
set service dhcp-server shared-network-name LAN authoritative
|
||||||
set service dhcp-server shared-network-name LAN ping-check
|
set service dhcp-server shared-network-name LAN ping-check
|
||||||
|
@ -82,7 +37,13 @@ set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 name-serv
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 start '10.1.1.200'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 start '10.1.1.200'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 stop '10.1.1.254'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 stop '10.1.1.254'
|
||||||
|
|
||||||
# Need to add all of the macs for the servers.
|
# NAS
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar ip-address '10.1.1.11'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar mac-address '00:11:32:87:f6:1d'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting ip-address '10.1.1.12'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting mac-address 'a8:a1:59:4a:d1:b3'
|
||||||
|
|
||||||
|
# k8s prod workers
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nenya ip-address '10.1.1.41'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nenya ip-address '10.1.1.41'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nenya mac-address 'c8:1f:66:10:4d:b9'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nenya mac-address 'c8:1f:66:10:4d:b9'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping vilya ip-address '10.1.1.42'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping vilya ip-address '10.1.1.42'
|
||||||
|
@ -96,18 +57,19 @@ set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-ma
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping thrain ip-address '10.1.1.46'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping thrain ip-address '10.1.1.46'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping thrain mac-address '98:90:96:B0:AD:EA'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping thrain mac-address '98:90:96:B0:AD:EA'
|
||||||
|
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar ip-address '10.1.1.11'
|
# Nextcloud
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar mac-address '00:11:32:87:f6:1d'
|
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting ip-address '10.1.1.12'
|
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting mac-address 'a8:a1:59:4a:d1:b3'
|
|
||||||
|
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nextcloud ip-address '10.1.1.51'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nextcloud ip-address '10.1.1.51'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nextcloud mac-address '96:C6:B7:2A:5C:2A'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nextcloud mac-address '96:C6:B7:2A:5C:2A'
|
||||||
|
|
||||||
|
# Raspberry Pis
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping frodo ip-address '10.1.1.52'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping frodo ip-address '10.1.1.52'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping frodo mac-address 'dc:a6:32:09:76:4c'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping frodo mac-address 'dc:a6:32:09:76:4c'
|
||||||
|
|
||||||
|
# VMs
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas ip-address '10.1.1.53'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas ip-address '10.1.1.53'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas mac-address '26:82:2F:16:7A:36'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas mac-address '26:82:2F:16:7A:36'
|
||||||
|
|
||||||
|
# k8s prod masters
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping galadriel ip-address '10.1.1.61'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping galadriel ip-address '10.1.1.61'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping galadriel mac-address '34:17:EB:D9:AB:D2'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping galadriel mac-address '34:17:EB:D9:AB:D2'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elrond ip-address '10.1.1.62'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elrond ip-address '10.1.1.62'
|
||||||
|
@ -132,16 +94,38 @@ set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-ma
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping legiondary ip-address '10.1.2.21'
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping legiondary ip-address '10.1.2.21'
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping legiondary mac-address '54:05:db:b1:95:ff'
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping legiondary mac-address '54:05:db:b1:95:ff'
|
||||||
|
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping eva-ipad ip-address '10.1.2.35'
|
# IoT VLAN
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping eva-ipad mac-address 'aa:ab:96:ce:f8:03'
|
set service dhcp-server shared-network-name IOT authoritative
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping kitchen-ipad ip-address '10.1.2.36'
|
set service dhcp-server shared-network-name IOT ping-check
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping kitchen-ipad mac-address '34:e2:fd:ac:7c:fa'
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 default-router '10.1.3.1'
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-ipad ip-address '10.1.2.34'
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 domain-name 'jahanson.tech'
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-ipad mac-address '94:bf:2d:f0:3f:c3'
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 lease '86400'
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-iphone ip-address '10.1.2.33'
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 name-server '10.5.0.4'
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-iphone mac-address '8c:98:6b:a9:18:cb'
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 start '10.1.3.200'
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-macbook ip-address '10.1.2.22'
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 stop '10.1.3.254'
|
||||||
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-macbook mac-address '8c:85:90:18:42:38'
|
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven ip-address '10.1.3.12'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven mac-address '88:e7:12:2a:63:ca'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum ip-address '10.1.3.18'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum mac-address '50:14:79:08:db:08'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 ip-address '10.1.3.33'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 mac-address 'A0:76:4E:21:DE:D0'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 ip-address '10.1.3.34'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 mac-address '34:85:18:0E:C7:CC'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 ip-address '10.1.3.35'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 mac-address '68:B6:B3:B3:EF:6C'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 ip-address '10.1.3.36'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 mac-address 'A0:76:4E:1F:D7:84'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam ip-address '10.1.3.71'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam mac-address '54:2a:1b:8e:e0:3b'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 ip-address '10.1.3.72'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 mac-address '48:a6:b8:fa:62:0e'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 ip-address '10.1.3.73'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 mac-address '48:a6:b8:fa:64:a6'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 ip-address '10.1.3.74'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 mac-address '48:a6:b8:48:a8:e5'
|
||||||
|
|
||||||
# Video VLAN
|
# Video VLAN
|
||||||
set service dhcp-server shared-network-name VIDEO authoritative
|
set service dhcp-server shared-network-name VIDEO authoritative
|
||||||
|
@ -149,7 +133,7 @@ set service dhcp-server shared-network-name VIDEO ping-check
|
||||||
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 default-router '10.1.4.1'
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 default-router '10.1.4.1'
|
||||||
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 domain-name 'jahanson.tech'
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 domain-name 'jahanson.tech'
|
||||||
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 lease '86400'
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 lease '86400'
|
||||||
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 name-server '10.5.0.4'
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 name-server '10.1.4.1'
|
||||||
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 start '10.1.4.200'
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 start '10.1.4.200'
|
||||||
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 stop '10.1.4.254'
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 stop '10.1.4.254'
|
||||||
|
|
||||||
|
|
|
@ -15,9 +15,11 @@ set system name-server '1.1.1.1'
|
||||||
set system sysctl parameter kernel.pty.max value '24000'
|
set system sysctl parameter kernel.pty.max value '24000'
|
||||||
|
|
||||||
# Sent to vector syslog server
|
# Sent to vector syslog server
|
||||||
|
set system syslog global facility all level info
|
||||||
set system syslog host 10.45.0.2 facility kern level 'warning'
|
set system syslog host 10.45.0.2 facility kern level 'warning'
|
||||||
set system syslog host 10.45.0.2 protocol 'tcp'
|
set system syslog host 10.45.0.2 protocol 'tcp'
|
||||||
set system syslog host 10.45.0.2 port '6001'
|
set system syslog host 10.45.0.2 port '6001'
|
||||||
|
set system syslog host 10.45.0.2 format 'octet-counted'
|
||||||
|
|
||||||
# Custom backup
|
# Custom backup
|
||||||
set system task-scheduler task backup-config crontab-spec '30 0 * * *'
|
set system task-scheduler task backup-config crontab-spec '30 0 * * *'
|
||||||
|
|
9
containers/dnsdist/.gitignore
vendored
9
containers/dnsdist/.gitignore
vendored
|
@ -1,9 +0,0 @@
|
||||||
# Ignore everything
|
|
||||||
/*
|
|
||||||
|
|
||||||
# Track certain files and directories
|
|
||||||
!.gitignore
|
|
||||||
|
|
||||||
!/config/
|
|
||||||
/config/*
|
|
||||||
!/config/dnsdist.conf
|
|
|
@ -1,93 +0,0 @@
|
||||||
-- udp/tcp dns listening
|
|
||||||
setLocal("0.0.0.0:53", {})
|
|
||||||
|
|
||||||
-- Local Bind
|
|
||||||
newServer({
|
|
||||||
address = "10.5.0.3",
|
|
||||||
pool = "bind",
|
|
||||||
checkName = "gateway.jahanson.tech"
|
|
||||||
})
|
|
||||||
|
|
||||||
-- NextDNS - Servers
|
|
||||||
newServer({
|
|
||||||
address = "188.172.251.1:443",
|
|
||||||
tls = "openssl",
|
|
||||||
subjectName = "8d3cd7.dns.nextdns.io",
|
|
||||||
dohPath = "/8d3cd7",
|
|
||||||
validateCertificates = true,
|
|
||||||
checkInterval = 10,
|
|
||||||
checkTimeout = 2000,
|
|
||||||
pool = "nextdns_servers"
|
|
||||||
})
|
|
||||||
|
|
||||||
-- NextDNS - Trusted
|
|
||||||
newServer({
|
|
||||||
address = "188.172.251.1:443",
|
|
||||||
tls = "openssl",
|
|
||||||
subjectName = "d79ecb.dns.nextdns.io",
|
|
||||||
dohPath = "/d79ecb",
|
|
||||||
validateCertificates = true,
|
|
||||||
checkInterval = 10,
|
|
||||||
checkTimeout = 2000,
|
|
||||||
pool = "nextdns_trusted"
|
|
||||||
})
|
|
||||||
|
|
||||||
-- NextDNS - IoT
|
|
||||||
newServer({
|
|
||||||
address = "188.172.251.1:443",
|
|
||||||
tls = "openssl",
|
|
||||||
subjectName = "e29a3c.dns.nextdns.io",
|
|
||||||
dohPath = "/e29a3c",
|
|
||||||
validateCertificates = true,
|
|
||||||
checkInterval = 10,
|
|
||||||
checkTimeout = 2000,
|
|
||||||
pool = "nextdns_iot"
|
|
||||||
})
|
|
||||||
|
|
||||||
-- CloudFlare DNS over TLS
|
|
||||||
newServer({
|
|
||||||
address = "1.1.1.1:853",
|
|
||||||
tls = "openssl",
|
|
||||||
subjectName = "cloudflare-dns.com",
|
|
||||||
validateCertificates = true,
|
|
||||||
checkInterval = 10,
|
|
||||||
checkTimeout = 2000,
|
|
||||||
pool = "cloudflare"
|
|
||||||
})
|
|
||||||
newServer({
|
|
||||||
address = "1.0.0.1:853",
|
|
||||||
tls = "openssl",
|
|
||||||
subjectName = "cloudflare-dns.com",
|
|
||||||
validateCertificates = true,
|
|
||||||
checkInterval = 10,
|
|
||||||
checkTimeout = 2000,
|
|
||||||
pool = "cloudflare"
|
|
||||||
})
|
|
||||||
|
|
||||||
-- Enable caching
|
|
||||||
pc = newPacketCache(10000, {
|
|
||||||
maxTTL = 86400,
|
|
||||||
minTTL = 0,
|
|
||||||
temporaryFailureTTL = 60,
|
|
||||||
staleTTL = 60,
|
|
||||||
dontAge = false
|
|
||||||
})
|
|
||||||
getPool(""):setCache(pc)
|
|
||||||
|
|
||||||
-- Request logging, uncomment to log DNS requests/responses to stdout
|
|
||||||
-- addAction(AllRule(), LogAction("", false, false, true, false, false))
|
|
||||||
-- addResponseAction(AllRule(), LogResponseAction("", false, true, false, false))
|
|
||||||
|
|
||||||
-- Routing rules
|
|
||||||
addAction("192.168.2.0/24", PoolAction("cloudflare")) -- guest vlan
|
|
||||||
addAction("192.168.2.0/24", DropAction()) -- stop processing
|
|
||||||
addAction('unifi', PoolAction('bind'))
|
|
||||||
addAction('hsn.dev', PoolAction('bind'))
|
|
||||||
addAction('jahanson.tech', PoolAction('bind'))
|
|
||||||
addAction('1.10.in-addr.arpa', PoolAction('bind'))
|
|
||||||
|
|
||||||
addAction("10.1.0.0/24", PoolAction("nextdns_servers")) -- lan
|
|
||||||
addAction("10.1.1.0/24", PoolAction("nextdns_servers")) -- servers vlan
|
|
||||||
addAction("10.1.2.0/24", PoolAction("nextdns_trusted")) -- trusted vlan
|
|
||||||
addAction("10.1.3.0/24", PoolAction("nextdns_iot")) -- iot vlan
|
|
||||||
addAction("10.0.11.0/24", PoolAction("nextdns_trusted")) -- wg_trusted vlan
|
|
Reference in a new issue