Skip to content

Instantly share code, notes, and snippets.

@oscarcarlsson
Created June 24, 2021 07:36
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save oscarcarlsson/125f62f88582dbcdd2da6d896410e1cd to your computer and use it in GitHub Desktop.
Save oscarcarlsson/125f62f88582dbcdd2da6d896410e1cd to your computer and use it in GitHub Desktop.
Relevant parts of a ansible playbook to setup a ZBF firewall in VyOS. The variables file is a mess. I can't include slashes in file names, so dashes in the files names are supposed to be slash.
---
- name: Allow all local ICMP
vyos.vyos.vyos_config:
lines:
- set firewall all-ping enable
tags:
- firewall
- name: Allow stateful traffic
vyos.vyos.vyos_config:
lines:
- set firewall state-policy established action accept
- set firewall state-policy related action accept
tags:
- firewall
- name: Define Addresses
vyos.vyos.vyos_config:
src: addressbook.j2
when:
- fw_addresses is defined
tags:
- firewall
- name: Define zones
vyos.vyos.vyos_config:
src: zones.j2
when:
- zones is defined
tags:
- firewall
- zone-def
- name: Define Zone Policies - IPv4
vyos.vyos.vyos_config:
src: policy_v4.j2
when:
- zones is defined
tags:
- firewall
- zone-policies
- name: Define Zone Policies - IPv6
vyos.vyos.vyos_config:
src: policy_v6.j2
when:
- zones is defined
tags:
- firewall
- zone-policies-ipv6
- zone-policies
{% for address in fw_addresses %}
{% if address['groups'] is defined %}
{% for group in address['groups'] %}
{% if address['ip'] is defined %}
set firewall group address-group {{ group }} address {{ address['ip'] }}
{% endif %}
{% if address['ipv6'] is defined %}
set firewall group ipv6-address-group {{ group }} address {{ address['ipv6'] }}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% for zone in zones %}
{% if zone['policies'] is defined %}
{% for policy in zone['policies'] %}
{% if zone['name'] != policy['dest'] %}
{# Interfaces are defined elsewhere. This is to allow us to apply rulesets #}
{# to these zones in particular. #}
set zone-policy zone {{ policy['dest'] }} from {{ zone['name'] }} firewall name {{ zone['name'] }}-{{ policy['dest'] }}
{# Set default inter-zone action. Can be set to accept, contrary to the #}
{# zbf based value. #}
{% if zone['default_action'] is defined %}
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} default-action {{ zone['default_action'] }}
{% endif %}
{# Define the implicit default rules #}
{% if zone['skip_default_rules'] is undefined %}
{# Accept related and established stuff #}
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 10 state established enable
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 10 state related enable
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 10 action accept
{# Ignore and log invalid state #}
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 20 state invalid enable
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 20 action drop
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 20 log enable
{# Allow ICMP in, but not from WAN to other zones than local. #}
{% if zone['name'] == "wan" %}
{% if policy['dest'] == "local" %}
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 protocol icmp
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 description 'allow icmp'
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 action accept
{% endif %}
{% else %}
{# Otherwise, allow ICMP everywhere #}
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 protocol icmp
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 description 'allow icmp'
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 30 action accept
{% endif %}
{% endif %}
{# If target zone is local, allow basic stuff #}
{% if policy['dest'] == "local" %}
{# Allow ssh in #}
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1020 destination port 22
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1020 protocol tcp
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1020 action accept
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1020 state new enable
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1020 description 'Allow SSH from {{ zone['name'] }}'
{# Only allow DNS/DHCP etc if dest is local but origin isnt WAN. #}
{% if zone['name'] != "wan" %}
{# Allow DNS in #}
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1010 destination port 53
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1010 protocol tcp_udp
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1010 action accept
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1010 state new enable
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1010 description 'Allow DNS queries from {{ zone['name'] }}'
{# Allow DHCP in #}
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1011 destination port '67,68'
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1011 protocol tcp_udp
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1011 action accept
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1011 state new enable
set firewall name {{ zone['name'] }}-{{ policy['dest'] }} rule 1011 description 'Allow DHCP queries from {{ zone['name'] }}'
{% endif %}
{% endif %}
{# Apply any custom rules for the zone policy #}
{% if policy['rules_ipv4'] is defined %}
{% for rule in policy['rules_ipv4'] %}
set firewall name {{ rule }}
{% endfor %}
{% endif %}
{# Apply any custom rules for the zone policy #}
{% if policy['rules'] is defined %}
{% for rule in policy['rules'] %}
set firewall name {{ rule }}
{% endfor %}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% for zone in zones %}
{% if zone['policies'] is defined %}
{% for policy in zone['policies'] %}
{% if zone['name'] != policy['dest'] %}
{# Interfaces are defined elsewhere. This is to allow us to apply rulesets #}
{# to these zones in particular. #}
set zone-policy zone {{ policy['dest'] }} from {{ zone['name'] }} firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6
{# Set default inter-zone action. Can be set to accept, contrary to the #}
{# zbf based value. #}
{% if zone['default_action'] is defined %}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 default-action {{ zone['default_action'] }}
{% endif %}
{# Define the implicit default rules #}
{% if zone['skip_default_rules'] is undefined %}
{# Accept related and established stuff #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 state established enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 state related enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 action accept
{# Ignore and log invalid state #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 state invalid enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 action drop
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 log enable
{# Allow ICMP in, but not from WAN to other zones than local. #}
{% if zone['name'] == "wan" %}
{% if policy['dest'] == "local" %}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 protocol icmp
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 description 'allow icmp'
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 action accept
{% endif %}
{% else %}
{# Otherwise, allow ICMP everywhere #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 protocol icmp
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 description 'allow icmp'
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 action accept
{% endif %}
{% endif %}
{# If target zone is local, allow basic stuff #}
{% if policy['dest'] == "local" %}
{# Allow ssh in #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 destination port 22
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 protocol tcp
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 action accept
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 state new enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 description 'Allow SSH from {{ zone['name'] }}'
{# Only allow DNS/DHCP etc if dest is local but origin isnt WAN. #}
{% if zone['name'] != "wan" %}
{# Allow DNS in #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 destination port 53
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 protocol tcp_udp
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 action accept
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 state new enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 description 'Allow DNS queries from {{ zone['name'] }}'
{# Allow DHCP in #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 destination port '67,68'
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 protocol tcp_udp
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 action accept
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 state new enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 description 'Allow DHCP queries from {{ zone['name'] }}'
{% endif %}
{% endif %}
{# Apply any custom rules for the zone policy #}
{% if policy['rules'] is defined %}
{% for rule in policy['rules'] %}
{# https://stackoverflow.com/a/39794185 #}
set firewall ipv6-name {{ rule.split(" ")[0] }}-v6 {{ " ".join(rule.split(" ")[1:]) }}
{% endfor %}
{% endif %}
{# Apply any custom rules for the zone policy #}
{% if policy['rules_ipv6'] is defined %}
{% for rule in policy['rules_ipv6'] %}
set firewall ipv6-name {{ rule.split(" ")[0] }}-v6 {{ " ".join(rule.split(" ")[1:]) }}
{% endfor %}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% for zone in zones %}
{% if zone['policies'] is defined %}
{% for policy in zone['policies'] %}
{% if zone['name'] != policy['dest'] %}
{# Interfaces are defined elsewhere. This is to allow us to apply rulesets #}
{# to these zones in particular. #}
set zone-policy zone {{ policy['dest'] }} from {{ zone['name'] }} firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6
{# Set default inter-zone action. Can be set to accept, contrary to the #}
{# zbf based value. #}
{% if zone['default_action'] is defined %}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 default-action {{ zone['default_action'] }}
{% endif %}
{# Define the implicit default rules #}
{% if zone['skip_default_rules'] is undefined %}
{# Accept related and established stuff #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 state established enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 state related enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 10 action accept
{# Ignore and log invalid state #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 state invalid enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 action drop
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 20 log enable
{# Allow ICMP in, but not from WAN to other zones than local. #}
{% if zone['name'] == "wan" %}
{% if policy['dest'] == "local" %}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 protocol icmp
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 description 'allow icmp'
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 action accept
{% endif %}
{% else %}
{# Otherwise, allow ICMP everywhere #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 protocol icmp
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 description 'allow icmp'
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 30 action accept
{% endif %}
{% endif %}
{# If target zone is local, allow basic stuff #}
{% if policy['dest'] == "local" %}
{# Allow ssh in #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 destination port 22
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 protocol tcp
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 action accept
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 state new enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1020 description 'Allow SSH from {{ zone['name'] }}'
{# Only allow DNS/DHCP etc if dest is local but origin isnt WAN. #}
{% if zone['name'] != "wan" %}
{# Allow DNS in #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 destination port 53
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 protocol tcp_udp
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 action accept
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 state new enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1010 description 'Allow DNS queries from {{ zone['name'] }}'
{# Allow DHCP in #}
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 destination port '67,68'
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 protocol tcp_udp
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 action accept
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 state new enable
set firewall ipv6-name {{ zone['name'] }}-{{ policy['dest'] }}-v6 rule 1011 description 'Allow DHCP queries from {{ zone['name'] }}'
{% endif %}
{% endif %}
{# Apply any custom rules for the zone policy #}
{% if policy['rules'] is defined %}
{% for rule in policy['rules'] %}
{# https://stackoverflow.com/a/39794185 #}
set firewall ipv6-name {{ rule.split(" ")[0] }}-v6 {{ " ".join(rule.split(" ")[1:]) }}
{% endfor %}
{% endif %}
{# Apply any custom rules for the zone policy #}
{% if policy['rules_ipv6'] is defined %}
{% for rule in policy['rules_ipv6'] %}
set firewall ipv6-name {{ rule.split(" ")[0] }}-v6 {{ " ".join(rule.split(" ")[1:]) }}
{% endfor %}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
interfaces:
- vyos_if: "eth0"
desc: "WAN interface"
vif: "2"
enabled: "true"
ipv4_addr: "dhcp"
default_action: "drop"
zone: "wan"
nat:
role: "outside"
- vyos_if: "eth1"
desc: "VLAN bridge"
enabled: "true"
- vyos_if: "eth0"
desc: "VLAN bridge"
enabled: "true"
- vyos_if: "eth1"
desc: "LAN desk"
vif: "5"
enabled: "true"
ipv4_addr: "10.0.1.1/24"
zone: "clients"
- vyos_if: "eth0"
desc: "management network"
vif: "3"
enabled: "true"
ipv4_addr: "192.168.0.1/24"
zone: "management"
- vyos_if: "eth0"
desc: "LAN wifi"
vif: "37"
enabled: "true"
ipv4_addr: "10.0.3.1/24"
zone: "clients"
- vyos_if: "eth1"
desc: "LAN services"
vif: "10"
enabled: "true"
ipv4_addr: "10.0.2.1/24"
zone: "services"
- vyos_if: "eth0"
desc: "LAN IOT"
vif: "41"
enabled: "true"
ipv4_addr: "10.0.4.1/24"
zone: "iot"
- vyos_if: "eth0"
desc: "LAN omada"
vif: "46"
enabled: "true"
ipv4_addr: "10.0.5.1/24"
zone: "omada"
# Unused, should be reworked and renamed.
dhcp_subnets:
- subnet: "10.0.5.0/24"
shared_network_name: "derp"
default_router: "10.0.5.1"
domain_name: "derp"
start: "10.0.5.100"
stop: "10.0.5.200"
- subnet: "192.168.0.0/24"
shared_network_name: "management"
default_router: "192.168.0.1"
domain_name: "management"
start: "192.168.0.100"
stop: "192.168.0.200"
- subnet: "10.0.3.0/24"
shared_network_name: "wifi"
domain_name: "clients"
default_router: "10.0.3.1"
start: "10.0.3.100"
stop: "10.0.3.200"
- subnet: "10.0.1.0/24"
shared_network_name: "desk"
domain_name: "clients"
default_router: "10.0.1.1"
start: "10.0.1.100"
stop: "10.0.1.200"
- subnet: "10.0.4.0/24"
shared_network_name: "iot"
default_router: "10.0.4.1"
start: "10.0.4.100"
stop: "10.0.4.200"
- subnet: "10.0.2.0/24"
shared_network_name: "services"
default_router: "10.0.2.1"
start: "10.0.2.100"
stop: "10.0.2.200"
zones:
- name: wan
policies:
- dest: iot
- dest: services
rules_ipv4:
- wan-services rule 1101 action 'accept'
- wan-services rule 1101 destination address '10.0.2.5'
- wan-services rule 1101 destination port '1234'
- wan-services rule 1101 protocol 'tcp'
- wan-services rule 1101 state new 'enable'
- wan-services rule 1102 action 'accept'
- wan-services rule 1102 destination address '10.0.2.5'
- wan-services rule 1102 destination port '80,443'
- wan-services rule 1102 protocol 'tcp'
- wan-services rule 1102 state new 'enable'
- dest: derp
- dest: clients
- dest: local
- dest: management
- name: clients
policies:
- dest: wan
default_action: "accept"
- dest: iot
rules:
# mqtt
- clients-iot rule 1101 action 'accept'
- clients-iot rule 1101 destination port '1883'
- clients-iot rule 1101 protocol 'tcp'
- clients-iot rule 1101 state new enable
# web access to iot devices
- clients-iot rule 1102 action 'accept'
- clients-iot rule 1102 destination port '80'
- clients-iot rule 1102 protocol 'tcp'
- clients-iot rule 1102 state new enable
- dest: services
rules_ipv4:
# pihole/dns
- clients-services rule 1105 action 'accept'
- clients-services rule 1105 destination port '53,853'
- clients-services rule 1105 destination address '10.0.2.2'
- clients-services rule 1105 protocol 'tcp_udp'
- clients-services rule 1105 state new enable
# smb/nfs
- clients-services rule 1106 action 'accept'
- clients-services rule 1106 destination port '111,139,445,2049'
- clients-services rule 1106 destination address '10.0.2.50'
- clients-services rule 1106 protocol 'tcp_udp'
- clients-services rule 1106 state new enable
# http(s)
- clients-services rule 1111 action 'accept'
- clients-services rule 1111 destination port '80,443'
- clients-services rule 1111 destination address '10.0.2.5'
- clients-services rule 1111 protocol 'tcp_udp'
- clients-services rule 1111 state new enable
rules:
- clients-services rule 1101 action 'accept'
- clients-services rule 1101 destination port '22'
- clients-services rule 1101 protocol 'tcp'
- clients-services rule 1101 state new enable
# MQTT
- clients-services rule 1103 action 'accept'
- clients-services rule 1103 destination port '1883'
- clients-services rule 1103 protocol 'tcp'
- clients-services rule 1103 state new enable
# iperf3
- clients-services rule 1110 action 'accept'
- clients-services rule 1110 destination port '5201'
- clients-services rule 1110 protocol 'tcp_udp'
- clients-services rule 1110 state new enable
- dest: derp
rules:
- clients-derp rule 1101 action 'accept'
- clients-derp rule 1101 destination port '8043'
- clients-derp rule 1101 protocol 'tcp'
- clients-derp rule 1101 state new enable
- dest: local
- dest: management
rules:
- clients-management rule 1101 action 'accept'
- clients-management rule 1101 destination port '80,443'
- clients-management rule 1101 protocol 'tcp'
- clients-management rule 1101 state new enable
- name: services
policies:
- dest: wan
default_action: "reject"
rules:
# tcp outwards
- services-wan rule 1101 action 'accept'
- services-wan rule 1101 destination port '80,443,465,587'
- services-wan rule 1101 protocol 'tcp'
- services-wan rule 1101 state new enable
- services-wan rule 1102 action 'accept'
# udp outwards
- services-wan rule 1102 destination port '123'
- services-wan rule 1102 protocol 'udp'
- services-wan rule 1102 state new enable
rules_ipv4:
# pihole/dns out
- services-wan rule 1105 action 'accept'
- services-wan rule 1105 destination port '53,853'
- services-wan rule 1105 source address '10.0.2.2'
- services-wan rule 1105 protocol 'tcp_udp'
- services-wan rule 1105 state new enable
- dest: local
- dest: clients
rules_ipv4:
- services-clients rule 1101 action 'accept'
- services-clients rule 1101 destination port '2345'
- services-clients rule 1101 source address '10.0.2.5'
- services-clients rule 1101 destination address '10.0.3.10'
- services-clients rule 1101 protocol 'tcp'
- services-clients rule 1101 state new enable
- dest: derp
- dest: management
- name: derp
policies:
- dest: wan
default_action: "accept"
rules:
- derp-wan rule 1101 action 'accept'
- derp-wan rule 1101 destination port '123'
- derp-wan rule 1101 protocol 'udp'
- derp-wan rule 1101 state new enable
- dest: local
- dest: clients
- dest: services
- dest: iot
- dest: management
- name: iot
policies:
- dest: local
- dest: clients
- dest: management
- dest: wan
rules:
# Allow (s)NTP for IoT devices
- iot-wan rule 1101 action 'accept'
- iot-wan rule 1101 destination port '123'
- iot-wan rule 1101 protocol 'udp'
- iot-wan rule 1101 state new enable
- dest: services
rules:
# Allow IoT devices reach the services network for MQTT
- iot-services rule 1101 action 'accept'
- iot-services rule 1101 destination port '1883'
- iot-services rule 1101 protocol 'tcp'
- iot-services rule 1101 state new enable
- dest: derp
- name: local
local: true
policies:
- dest: clients
- dest: management
- dest: services
rules_ipv4:
# telegraf to influx
- local-services rule 1102 action 'accept'
- local-services rule 1102 destination port '8086'
- local-services rule 1102 destination address '10.0.2.53'
- local-services rule 1102 protocol 'tcp'
- local-services rule 1102 state new enable
rules:
# Allow ssh from firewall to services
- local-services rule 1101 action 'accept'
- local-services rule 1101 destination port '22'
- local-services rule 1101 protocol 'tcp'
- local-services rule 1101 state new enable
- dest: derp
- dest: iot
- dest: wan
rules:
- local-wan rule 1101 action 'accept'
- local-wan rule 1101 destination port '53,853'
- local-wan rule 1101 protocol 'tcp_udp'
- local-wan rule 1101 state new enable
# HTTP/HTTPS
- local-wan rule 1101 action 'accept'
- local-wan rule 1101 destination port '80,443'
- local-wan rule 1101 protocol 'tcp_udp'
- local-wan rule 1101 state new enable
custom_commands:
- set traffic-policy shaper shaper-90mbit bandwidth 90mbps
- set traffic-policy shaper shaper-90mbit default bandwidth 100%
- set traffic-policy shaper shaper-90mbit default burst 15k
- set traffic-policy shaper shaper-90mbit queue-type fq-codel
- set interfaces ethernet eth0 vif 2 traffic-policy out shaper-90mbit
---
# tasks file for roles/interfaces
- name: Configure interfaces - status & descriptions
vyos.vyos.vyos_interfaces:
config:
- name: "{{ item.vyos_if }}"
description: "{{ item.desc }}"
enabled: "{{ item.enabled }}"
when: item.vif is not defined
loop: "{{ interfaces }}"
- name: Configure interfaces - Status and Descriptions - vifs
vyos.vyos.vyos_interfaces:
config:
- name: "{{ item.vyos_if }}"
vifs:
- description: "{{ item.desc }}"
enabled: "{{ item.enabled }}"
vlan_id: "{{ item.vif }}"
when: item.vif is defined
loop: "{{ interfaces }}"
- name: Configure interfaces - MAC address
vyos_config:
lines:
- set interfaces ethernet "{{ item.vyos_if }}" mac "{{ item.mac }}"
when:
- item.vif is undefined
- item.mac is defined
loop: "{{ interfaces }}"
- name: Configure interfaces - MAC address - vifs
vyos_config:
lines:
- set interfaces ethernet "{{ item.vyos_if }}" vif "{{ item.vif }}" mac "{{ item.mac }}"
when:
- item.vif is defined
- item.mac is defined
loop: "{{ interfaces }}"
- name: Configure interfaces - L3 IPv4
vyos_l3_interfaces:
config:
- name: "{{ item.vyos_if }}"
ipv4:
- address: "{{ item.ipv4_addr }}"
when:
- item.ipv4_addr is defined
- item.vif is not defined
loop: "{{ interfaces }}"
- name: Configure interfaces - L3 IPv4 - vifs
vyos_l3_interfaces:
config:
- name: "{{ item.vyos_if }}"
vifs:
- ipv4:
- address: "{{ item.ipv4_addr }}"
vlan_id: "{{ item.vif }}"
when:
- item.ipv4_addr is defined
- item.vif is defined
loop: "{{ interfaces }}"
- name: Configure interfaces - L3 IPv6
vyos_l3_interfaces:
config:
- name: "{{ item.vyos_if }}"
ipv6:
- address: "{{ item.ipv6_addr }}"
when:
- item.ipv6_addr is defined
- item.vif is not defined
loop: "{{ interfaces }}"
- name: Configure interfaces - L3 IPv6 - vifs
vyos_l3_interfaces:
config:
- name: "{{ item.vyos_if }}"
vifs:
- ipv6:
- address: "{{ item.ipv6_addr }}"
vlan_id: "{{ item.vif }}"
when:
- item.ipv6_addr is defined
- item.vif is defined
loop: "{{ interfaces }}"
- name: Configure system resolver - use the DHCP supplied servers
vyos_config:
lines:
- set system name-servers-dhcp "{{ item.vyos_if }}"
when:
- item.ipv4_addr is defined and item.ipv4_addr == "dhcp"
- item.zone is defined and item.zone == "wan"
- item.vif is undefined
loop: "{{ interfaces }}"
- name: Configure system resolver - use the DHCP supplied servers - vifs
vyos_config:
lines:
- set system name-servers-dhcp "{{ item.vyos_if }}.{{ item.vif }}"
when:
- item.ipv4_addr is defined and item.ipv4_addr == "dhcp"
- item.zone is defined and item.zone == "wan"
- item.vif is defined
loop: "{{ interfaces }}"
---
# tasks file for nat
- name: Apply NAT rules
vyos.vyos.vyos_config:
src: nat.j2
tags:
- nat
{% for interface in interfaces %}
{% if 'nat' in interface %}
{% if 'outside' in interface['nat']['role'] %}
{# Not smart to assume that all valid subnets have dhcp enabled #}
{# ...but good enough for now. #}
{% for subnet in dhcp_subnets %}
set nat source rule 10{{ loop.index }} translation address 'masquerade'
set nat source rule 10{{ loop.index }} source address {{ subnet.subnet }}
{# Check if WAN is through a virtual interface #}
set nat source rule 10{{ loop.index }} outbound-interface '{{ interface['vyos_if'] }}{% if 'vif' in interface %}.{{ interface['vif'] }}{% endif %}'
{% endfor %}
{% endif %}
{% endif %}
{% endfor %}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment