-
-
Save oscarcarlsson/125f62f88582dbcdd2da6d896410e1cd to your computer and use it in GitHub Desktop.
Relevant parts of a ansible playbook to setup a ZBF firewall in VyOS. The variables file is a mess. I can't include slashes in file names, so dashes in the files names are supposed to be slash.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: Allow all local ICMP | |
vyos.vyos.vyos_config: | |
lines: | |
- set firewall all-ping enable | |
tags: | |
- firewall | |
- name: Allow stateful traffic | |
vyos.vyos.vyos_config: | |
lines: | |
- set firewall state-policy established action accept | |
- set firewall state-policy related action accept | |
tags: | |
- firewall | |
- name: Define Addresses | |
vyos.vyos.vyos_config: | |
src: addressbook.j2 | |
when: | |
- fw_addresses is defined | |
tags: | |
- firewall | |
- name: Define zones | |
vyos.vyos.vyos_config: | |
src: zones.j2 | |
when: | |
- zones is defined | |
tags: | |
- firewall | |
- zone-def | |
- name: Define Zone Policies - IPv4 | |
vyos.vyos.vyos_config: | |
src: policy_v4.j2 | |
when: | |
- zones is defined | |
tags: | |
- firewall | |
- zone-policies | |
- name: Define Zone Policies - IPv6 | |
vyos.vyos.vyos_config: | |
src: policy_v6.j2 | |
when: | |
- zones is defined | |
tags: | |
- firewall | |
- zone-policies-ipv6 | |
- zone-policies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{% for address in fw_addresses %} | |
{% if address['groups'] is defined %} | |
{% for group in address['groups'] %} | |
{% if address['ip'] is defined %} | |
set firewall group address-group {{ group }} address {{ address['ip'] }} | |
{% endif %} | |
{% if address['ipv6'] is defined %} | |
set firewall group ipv6-address-group {{ group }} address {{ address['ipv6'] }} | |
{% endif %} | |
{% endfor %} | |
{% endif %} | |
{% endfor %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{% for zone in zones %} | |
{% if zone['policies'] is defined %} | |
{% for policy in zone['policies'] %} | |
{% if zone['name'] != policy['dest'] %} | |
{# Interfaces are defined elsewhere. This is to allow us to apply rulesets #} | |
{# to these zones in particular. #} | |
set zone-policy zone {{ policy['dest'] }} from {{ zone['name'] }} firewall name {{ zone['name'] }}-{{ policy['dest'] }} | |
{# Set default inter-zone action. Can be set to accept, contrary to the #} | |
{# zbf based value. #} | |
{% if zone['default_action'] is defined %} | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} default-action {{ zone['default_action'] }} | |
{% endif %} | |
{# Define the implicit default rules #} | |
{% if zone['skip_default_rules'] is undefined %} | |
{# Accept related and established stuff #} | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 10 state established enable | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 10 state related enable | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 10 action accept | |
{# Ignore and log invalid state #} | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 20 state invalid enable | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 20 action drop | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 20 log enable | |
{# Allow ICMP in, but not from WAN to other zones than local. #} | |
{% if zone['name'] == "wan" %} | |
{% if policy['dest'] == "local" %} | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 protocol icmp | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 description 'allow icmp' | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 action accept | |
{% endif %} | |
{% else %} | |
{# Otherwise, allow ICMP everywhere #} | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 protocol icmp | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 description 'allow icmp' | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 action accept | |
{% endif %} | |
{% endif %} | |
{# If target zone is local, allow basic stuff #} | |
{% if policy['dest'] == "local" %} | |
{# Allow ssh in #} | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1020 destination port 22 | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1020 protocol tcp | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1020 action accept | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1020 state new enable | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1020 description 'Allow SSH from {{ zone['name'] }}' | |
{# Only allow DNS/DHCP etc if dest is local but origin isnt WAN. #} | |
{% if zone['name'] != "wan" %} | |
{# Allow DNS in #} | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1010 destination port 53 | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1010 protocol tcp_udp | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1010 action accept | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1010 state new enable | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1010 description 'Allow DNS queries from {{ zone['name'] }}' | |
{# Allow DHCP in #} | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1011 destination port '67,68' | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1011 protocol tcp_udp | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1011 action accept | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1011 state new enable | |
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1011 description 'Allow DHCP queries from {{ zone['name'] }}' | |
{% endif %} | |
{% endif %} | |
{# Apply any custom rules for the zone policy #} | |
{% if policy['rules_ipv4'] is defined %} | |
{% for rule in policy['rules_ipv4'] %} | |
set firewall name {{ rule }} | |
{% endfor %} | |
{% endif %} | |
{# Apply any custom rules for the zone policy #} | |
{% if policy['rules'] is defined %} | |
{% for rule in policy['rules'] %} | |
set firewall name {{ rule }} | |
{% endfor %} | |
{% endif %} | |
{% endif %} | |
{% endfor %} | |
{% endif %} | |
{% endfor %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{% for zone in zones %} | |
{% if zone['policies'] is defined %} | |
{% for policy in zone['policies'] %} | |
{% if zone['name'] != policy['dest'] %} | |
{# Interfaces are defined elsewhere. This is to allow us to apply rulesets #} | |
{# to these zones in particular. #} | |
set zone-policy zone {{ policy['dest'] }} from {{ zone['name'] }} firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 | |
{# Set default inter-zone action. Can be set to accept, contrary to the #} | |
{# zbf based value. #} | |
{% if zone['default_action'] is defined %} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 default-action {{ zone['default_action'] }} | |
{% endif %} | |
{# Define the implicit default rules #} | |
{% if zone['skip_default_rules'] is undefined %} | |
{# Accept related and established stuff #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 state established enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 state related enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 action accept | |
{# Ignore and log invalid state #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 state invalid enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 action drop | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 log enable | |
{# Allow ICMP in, but not from WAN to other zones than local. #} | |
{% if zone['name'] == "wan" %} | |
{% if policy['dest'] == "local" %} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 protocol icmp | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 description 'allow icmp' | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 action accept | |
{% endif %} | |
{% else %} | |
{# Otherwise, allow ICMP everywhere #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 protocol icmp | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 description 'allow icmp' | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 action accept | |
{% endif %} | |
{% endif %} | |
{# If target zone is local, allow basic stuff #} | |
{% if policy['dest'] == "local" %} | |
{# Allow ssh in #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 destination port 22 | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 protocol tcp | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 action accept | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 state new enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 description 'Allow SSH from {{ zone['name'] }}' | |
{# Only allow DNS/DHCP etc if dest is local but origin isnt WAN. #} | |
{% if zone['name'] != "wan" %} | |
{# Allow DNS in #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 destination port 53 | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 protocol tcp_udp | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 action accept | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 state new enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 description 'Allow DNS queries from {{ zone['name'] }}' | |
{# Allow DHCP in #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 destination port '67,68' | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 protocol tcp_udp | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 action accept | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 state new enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 description 'Allow DHCP queries from {{ zone['name'] }}' | |
{% endif %} | |
{% endif %} | |
{# Apply any custom rules for the zone policy #} | |
{% if policy['rules'] is defined %} | |
{% for rule in policy['rules'] %} | |
{# https://stackoverflow.com/a/39794185 #} | |
set firewall ipv6-name {{ rule.split(" ")[0] }}-v6 {{ " ".join(rule.split(" ")[1:]) }} | |
{% endfor %} | |
{% endif %} | |
{# Apply any custom rules for the zone policy #} | |
{% if policy['rules_ipv6'] is defined %} | |
{% for rule in policy['rules_ipv6'] %} | |
set firewall ipv6-name {{ rule.split(" ")[0] }}-v6 {{ " ".join(rule.split(" ")[1:]) }} | |
{% endfor %} | |
{% endif %} | |
{% endif %} | |
{% endfor %} | |
{% endif %} | |
{% endfor %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{% for zone in zones %} | |
{% if zone['policies'] is defined %} | |
{% for policy in zone['policies'] %} | |
{% if zone['name'] != policy['dest'] %} | |
{# Interfaces are defined elsewhere. This is to allow us to apply rulesets #} | |
{# to these zones in particular. #} | |
set zone-policy zone {{ policy['dest'] }} from {{ zone['name'] }} firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 | |
{# Set default inter-zone action. Can be set to accept, contrary to the #} | |
{# zbf based value. #} | |
{% if zone['default_action'] is defined %} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 default-action {{ zone['default_action'] }} | |
{% endif %} | |
{# Define the implicit default rules #} | |
{% if zone['skip_default_rules'] is undefined %} | |
{# Accept related and established stuff #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 state established enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 state related enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 action accept | |
{# Ignore and log invalid state #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 state invalid enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 action drop | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 log enable | |
{# Allow ICMP in, but not from WAN to other zones than local. #} | |
{% if zone['name'] == "wan" %} | |
{% if policy['dest'] == "local" %} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 protocol icmp | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 description 'allow icmp' | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 action accept | |
{% endif %} | |
{% else %} | |
{# Otherwise, allow ICMP everywhere #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 protocol icmp | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 description 'allow icmp' | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 action accept | |
{% endif %} | |
{% endif %} | |
{# If target zone is local, allow basic stuff #} | |
{% if policy['dest'] == "local" %} | |
{# Allow ssh in #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 destination port 22 | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 protocol tcp | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 action accept | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 state new enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 description 'Allow SSH from {{ zone['name'] }}' | |
{# Only allow DNS/DHCP etc if dest is local but origin isnt WAN. #} | |
{% if zone['name'] != "wan" %} | |
{# Allow DNS in #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 destination port 53 | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 protocol tcp_udp | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 action accept | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 state new enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 description 'Allow DNS queries from {{ zone['name'] }}' | |
{# Allow DHCP in #} | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 destination port '67,68' | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 protocol tcp_udp | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 action accept | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 state new enable | |
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 description 'Allow DHCP queries from {{ zone['name'] }}' | |
{% endif %} | |
{% endif %} | |
{# Apply any custom rules for the zone policy #} | |
{% if policy['rules'] is defined %} | |
{% for rule in policy['rules'] %} | |
{# https://stackoverflow.com/a/39794185 #} | |
set firewall ipv6-name {{ rule.split(" ")[0] }}-v6 {{ " ".join(rule.split(" ")[1:]) }} | |
{% endfor %} | |
{% endif %} | |
{# Apply any custom rules for the zone policy #} | |
{% if policy['rules_ipv6'] is defined %} | |
{% for rule in policy['rules_ipv6'] %} | |
set firewall ipv6-name {{ rule.split(" ")[0] }}-v6 {{ " ".join(rule.split(" ")[1:]) }} | |
{% endfor %} | |
{% endif %} | |
{% endif %} | |
{% endfor %} | |
{% endif %} | |
{% endfor %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
interfaces: | |
- vyos_if: "eth0" | |
desc: "WAN interface" | |
vif: "2" | |
enabled: "true" | |
ipv4_addr: "dhcp" | |
default_action: "drop" | |
zone: "wan" | |
nat: | |
role: "outside" | |
- vyos_if: "eth1" | |
desc: "VLAN bridge" | |
enabled: "true" | |
- vyos_if: "eth0" | |
desc: "VLAN bridge" | |
enabled: "true" | |
- vyos_if: "eth1" | |
desc: "LAN desk" | |
vif: "5" | |
enabled: "true" | |
ipv4_addr: "10.0.1.1/24" | |
zone: "clients" | |
- vyos_if: "eth0" | |
desc: "management network" | |
vif: "3" | |
enabled: "true" | |
ipv4_addr: "192.168.0.1/24" | |
zone: "management" | |
- vyos_if: "eth0" | |
desc: "LAN wifi" | |
vif: "37" | |
enabled: "true" | |
ipv4_addr: "10.0.3.1/24" | |
zone: "clients" | |
- vyos_if: "eth1" | |
desc: "LAN services" | |
vif: "10" | |
enabled: "true" | |
ipv4_addr: "10.0.2.1/24" | |
zone: "services" | |
- vyos_if: "eth0" | |
desc: "LAN IOT" | |
vif: "41" | |
enabled: "true" | |
ipv4_addr: "10.0.4.1/24" | |
zone: "iot" | |
- vyos_if: "eth0" | |
desc: "LAN omada" | |
vif: "46" | |
enabled: "true" | |
ipv4_addr: "10.0.5.1/24" | |
zone: "omada" | |
# Unused, should be reworked and renamed. | |
dhcp_subnets: | |
- subnet: "10.0.5.0/24" | |
shared_network_name: "derp" | |
default_router: "10.0.5.1" | |
domain_name: "derp" | |
start: "10.0.5.100" | |
stop: "10.0.5.200" | |
- subnet: "192.168.0.0/24" | |
shared_network_name: "management" | |
default_router: "192.168.0.1" | |
domain_name: "management" | |
start: "192.168.0.100" | |
stop: "192.168.0.200" | |
- subnet: "10.0.3.0/24" | |
shared_network_name: "wifi" | |
domain_name: "clients" | |
default_router: "10.0.3.1" | |
start: "10.0.3.100" | |
stop: "10.0.3.200" | |
- subnet: "10.0.1.0/24" | |
shared_network_name: "desk" | |
domain_name: "clients" | |
default_router: "10.0.1.1" | |
start: "10.0.1.100" | |
stop: "10.0.1.200" | |
- subnet: "10.0.4.0/24" | |
shared_network_name: "iot" | |
default_router: "10.0.4.1" | |
start: "10.0.4.100" | |
stop: "10.0.4.200" | |
- subnet: "10.0.2.0/24" | |
shared_network_name: "services" | |
default_router: "10.0.2.1" | |
start: "10.0.2.100" | |
stop: "10.0.2.200" | |
zones: | |
- name: wan | |
policies: | |
- dest: iot | |
- dest: services | |
rules_ipv4: | |
- wan-services rule 1101 action 'accept' | |
- wan-services rule 1101 destination address '10.0.2.5' | |
- wan-services rule 1101 destination port '1234' | |
- wan-services rule 1101 protocol 'tcp' | |
- wan-services rule 1101 state new 'enable' | |
- wan-services rule 1102 action 'accept' | |
- wan-services rule 1102 destination address '10.0.2.5' | |
- wan-services rule 1102 destination port '80,443' | |
- wan-services rule 1102 protocol 'tcp' | |
- wan-services rule 1102 state new 'enable' | |
- dest: derp | |
- dest: clients | |
- dest: local | |
- dest: management | |
- name: clients | |
policies: | |
- dest: wan | |
default_action: "accept" | |
- dest: iot | |
rules: | |
# mqtt | |
- clients-iot rule 1101 action 'accept' | |
- clients-iot rule 1101 destination port '1883' | |
- clients-iot rule 1101 protocol 'tcp' | |
- clients-iot rule 1101 state new enable | |
# web access to iot devices | |
- clients-iot rule 1102 action 'accept' | |
- clients-iot rule 1102 destination port '80' | |
- clients-iot rule 1102 protocol 'tcp' | |
- clients-iot rule 1102 state new enable | |
- dest: services | |
rules_ipv4: | |
# pihole/dns | |
- clients-services rule 1105 action 'accept' | |
- clients-services rule 1105 destination port '53,853' | |
- clients-services rule 1105 destination address '10.0.2.2' | |
- clients-services rule 1105 protocol 'tcp_udp' | |
- clients-services rule 1105 state new enable | |
# smb/nfs | |
- clients-services rule 1106 action 'accept' | |
- clients-services rule 1106 destination port '111,139,445,2049' | |
- clients-services rule 1106 destination address '10.0.2.50' | |
- clients-services rule 1106 protocol 'tcp_udp' | |
- clients-services rule 1106 state new enable | |
# http(s) | |
- clients-services rule 1111 action 'accept' | |
- clients-services rule 1111 destination port '80,443' | |
- clients-services rule 1111 destination address '10.0.2.5' | |
- clients-services rule 1111 protocol 'tcp_udp' | |
- clients-services rule 1111 state new enable | |
rules: | |
- clients-services rule 1101 action 'accept' | |
- clients-services rule 1101 destination port '22' | |
- clients-services rule 1101 protocol 'tcp' | |
- clients-services rule 1101 state new enable | |
# MQTT | |
- clients-services rule 1103 action 'accept' | |
- clients-services rule 1103 destination port '1883' | |
- clients-services rule 1103 protocol 'tcp' | |
- clients-services rule 1103 state new enable | |
# iperf3 | |
- clients-services rule 1110 action 'accept' | |
- clients-services rule 1110 destination port '5201' | |
- clients-services rule 1110 protocol 'tcp_udp' | |
- clients-services rule 1110 state new enable | |
- dest: derp | |
rules: | |
- clients-derp rule 1101 action 'accept' | |
- clients-derp rule 1101 destination port '8043' | |
- clients-derp rule 1101 protocol 'tcp' | |
- clients-derp rule 1101 state new enable | |
- dest: local | |
- dest: management | |
rules: | |
- clients-management rule 1101 action 'accept' | |
- clients-management rule 1101 destination port '80,443' | |
- clients-management rule 1101 protocol 'tcp' | |
- clients-management rule 1101 state new enable | |
- name: services | |
policies: | |
- dest: wan | |
default_action: "reject" | |
rules: | |
# tcp outwards | |
- services-wan rule 1101 action 'accept' | |
- services-wan rule 1101 destination port '80,443,465,587' | |
- services-wan rule 1101 protocol 'tcp' | |
- services-wan rule 1101 state new enable | |
- services-wan rule 1102 action 'accept' | |
# udp outwards | |
- services-wan rule 1102 destination port '123' | |
- services-wan rule 1102 protocol 'udp' | |
- services-wan rule 1102 state new enable | |
rules_ipv4: | |
# pihole/dns out | |
- services-wan rule 1105 action 'accept' | |
- services-wan rule 1105 destination port '53,853' | |
- services-wan rule 1105 source address '10.0.2.2' | |
- services-wan rule 1105 protocol 'tcp_udp' | |
- services-wan rule 1105 state new enable | |
- dest: local | |
- dest: clients | |
rules_ipv4: | |
- services-clients rule 1101 action 'accept' | |
- services-clients rule 1101 destination port '2345' | |
- services-clients rule 1101 source address '10.0.2.5' | |
- services-clients rule 1101 destination address '10.0.3.10' | |
- services-clients rule 1101 protocol 'tcp' | |
- services-clients rule 1101 state new enable | |
- dest: derp | |
- dest: management | |
- name: derp | |
policies: | |
- dest: wan | |
default_action: "accept" | |
rules: | |
- derp-wan rule 1101 action 'accept' | |
- derp-wan rule 1101 destination port '123' | |
- derp-wan rule 1101 protocol 'udp' | |
- derp-wan rule 1101 state new enable | |
- dest: local | |
- dest: clients | |
- dest: services | |
- dest: iot | |
- dest: management | |
- name: iot | |
policies: | |
- dest: local | |
- dest: clients | |
- dest: management | |
- dest: wan | |
rules: | |
# Allow (s)NTP for IoT devices | |
- iot-wan rule 1101 action 'accept' | |
- iot-wan rule 1101 destination port '123' | |
- iot-wan rule 1101 protocol 'udp' | |
- iot-wan rule 1101 state new enable | |
- dest: services | |
rules: | |
# Allow IoT devices reach the services network for MQTT | |
- iot-services rule 1101 action 'accept' | |
- iot-services rule 1101 destination port '1883' | |
- iot-services rule 1101 protocol 'tcp' | |
- iot-services rule 1101 state new enable | |
- dest: derp | |
- name: local | |
local: true | |
policies: | |
- dest: clients | |
- dest: management | |
- dest: services | |
rules_ipv4: | |
# telegraf to influx | |
- local-services rule 1102 action 'accept' | |
- local-services rule 1102 destination port '8086' | |
- local-services rule 1102 destination address '10.0.2.53' | |
- local-services rule 1102 protocol 'tcp' | |
- local-services rule 1102 state new enable | |
rules: | |
# Allow ssh from firewall to services | |
- local-services rule 1101 action 'accept' | |
- local-services rule 1101 destination port '22' | |
- local-services rule 1101 protocol 'tcp' | |
- local-services rule 1101 state new enable | |
- dest: derp | |
- dest: iot | |
- dest: wan | |
rules: | |
- local-wan rule 1101 action 'accept' | |
- local-wan rule 1101 destination port '53,853' | |
- local-wan rule 1101 protocol 'tcp_udp' | |
- local-wan rule 1101 state new enable | |
# HTTP/HTTPS | |
- local-wan rule 1101 action 'accept' | |
- local-wan rule 1101 destination port '80,443' | |
- local-wan rule 1101 protocol 'tcp_udp' | |
- local-wan rule 1101 state new enable | |
custom_commands: | |
- set traffic-policy shaper shaper-90mbit bandwidth 90mbps | |
- set traffic-policy shaper shaper-90mbit default bandwidth 100% | |
- set traffic-policy shaper shaper-90mbit default burst 15k | |
- set traffic-policy shaper shaper-90mbit queue-type fq-codel | |
- set interfaces ethernet eth0 vif 2 traffic-policy out shaper-90mbit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# tasks file for roles/interfaces | |
- name: Configure interfaces - status & descriptions | |
vyos.vyos.vyos_interfaces: | |
config: | |
- name: "{{ item.vyos_if }}" | |
description: "{{ item.desc }}" | |
enabled: "{{ item.enabled }}" | |
when: item.vif is not defined | |
loop: "{{ interfaces }}" | |
- name: Configure interfaces - Status and Descriptions - vifs | |
vyos.vyos.vyos_interfaces: | |
config: | |
- name: "{{ item.vyos_if }}" | |
vifs: | |
- description: "{{ item.desc }}" | |
enabled: "{{ item.enabled }}" | |
vlan_id: "{{ item.vif }}" | |
when: item.vif is defined | |
loop: "{{ interfaces }}" | |
- name: Configure interfaces - MAC address | |
vyos_config: | |
lines: | |
- set interfaces ethernet "{{ item.vyos_if }}" mac "{{ item.mac }}" | |
when: | |
- item.vif is undefined | |
- item.mac is defined | |
loop: "{{ interfaces }}" | |
- name: Configure interfaces - MAC address - vifs | |
vyos_config: | |
lines: | |
- set interfaces ethernet "{{ item.vyos_if }}" vif "{{ item.vif }}" mac "{{ item.mac }}" | |
when: | |
- item.vif is defined | |
- item.mac is defined | |
loop: "{{ interfaces }}" | |
- name: Configure interfaces - L3 IPv4 | |
vyos_l3_interfaces: | |
config: | |
- name: "{{ item.vyos_if }}" | |
ipv4: | |
- address: "{{ item.ipv4_addr }}" | |
when: | |
- item.ipv4_addr is defined | |
- item.vif is not defined | |
loop: "{{ interfaces }}" | |
- name: Configure interfaces - L3 IPv4 - vifs | |
vyos_l3_interfaces: | |
config: | |
- name: "{{ item.vyos_if }}" | |
vifs: | |
- ipv4: | |
- address: "{{ item.ipv4_addr }}" | |
vlan_id: "{{ item.vif }}" | |
when: | |
- item.ipv4_addr is defined | |
- item.vif is defined | |
loop: "{{ interfaces }}" | |
- name: Configure interfaces - L3 IPv6 | |
vyos_l3_interfaces: | |
config: | |
- name: "{{ item.vyos_if }}" | |
ipv6: | |
- address: "{{ item.ipv6_addr }}" | |
when: | |
- item.ipv6_addr is defined | |
- item.vif is not defined | |
loop: "{{ interfaces }}" | |
- name: Configure interfaces - L3 IPv6 - vifs | |
vyos_l3_interfaces: | |
config: | |
- name: "{{ item.vyos_if }}" | |
vifs: | |
- ipv6: | |
- address: "{{ item.ipv6_addr }}" | |
vlan_id: "{{ item.vif }}" | |
when: | |
- item.ipv6_addr is defined | |
- item.vif is defined | |
loop: "{{ interfaces }}" | |
- name: Configure system resolver - use the DHCP supplied servers | |
vyos_config: | |
lines: | |
- set system name-servers-dhcp "{{ item.vyos_if }}" | |
when: | |
- item.ipv4_addr is defined and item.ipv4_addr == "dhcp" | |
- item.zone is defined and item.zone == "wan" | |
- item.vif is undefined | |
loop: "{{ interfaces }}" | |
- name: Configure system resolver - use the DHCP supplied servers - vifs | |
vyos_config: | |
lines: | |
- set system name-servers-dhcp "{{ item.vyos_if }}.{{ item.vif }}" | |
when: | |
- item.ipv4_addr is defined and item.ipv4_addr == "dhcp" | |
- item.zone is defined and item.zone == "wan" | |
- item.vif is defined | |
loop: "{{ interfaces }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# tasks file for nat | |
- name: Apply NAT rules | |
vyos.vyos.vyos_config: | |
src: nat.j2 | |
tags: | |
- nat |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{% for interface in interfaces %} | |
{% if 'nat' in interface %} | |
{% if 'outside' in interface['nat']['role'] %} | |
{# Not smart to assume that all valid subnets have dhcp enabled #} | |
{# ...but good enough for now. #} | |
{% for subnet in dhcp_subnets %} | |
set nat source rule 10{{ loop.index }} translation address 'masquerade' | |
set nat source rule 10{{ loop.index }} source address {{ subnet.subnet }} | |
{# Check if WAN is through a virtual interface #} | |
set nat source rule 10{{ loop.index }} outbound-interface '{{ interface['vyos_if'] }}{% if 'vif' in interface %}.{{ interface['vif'] }}{% endif %}' | |
{% endfor %} | |
{% endif %} | |
{% endif %} | |
{% endfor %} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment