rc/network
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
106 commits 1 branch 0 tags 281 KiB
Commit graph

106 commits

This branch
This branch
All branches
Author SHA1 Message Date
Timotej Lazar 3e1949565a firewall: increase max connections 
Apparently we reached the default.
 2025-04-16 22:24:01 +02:00
Timotej Lazar ed0f4b4bff fabric: make some space 
Oops, missed a spot.
 2025-04-03 18:42:23 +02:00
Timotej Lazar a4c6ac04fb ansible: silence pointless warnings 
Shut up about the discovered python interpreter already.
 2025-04-03 17:51:18 +02:00
Timotej Lazar 39284749f2 fabric: clean up formatting for interface templates 
Hypothetically.
 2025-03-27 11:59:06 +01:00
Timotej Lazar 09eb030e32 exit: determine uplink gateway address from interface address 
So we can actually drop the gateway custom field from NetBox interfaces.
 2025-03-27 11:31:40 +01:00
Timotej Lazar a2d7174829 fabric: clean up switch.intf template 
Add some comments, simplify some logic.
 2025-03-26 22:50:52 +01:00
Timotej Lazar 2f662373e5 firewall: get mgmt gateway from custom field on prefix 
Mainly so we can add IPv6 mgmt addresses and drop the gateway custom
field from NetBox interfaces.
 2025-03-26 19:20:03 +01:00
Timotej Lazar 6040a3ae84 access: round allowed MACs on a port down to 64 
Haven’t seen anyone use more than ten.
 2025-03-26 19:12:15 +01:00
Timotej Lazar d3196a48c2 firewall: set up resolv.conf 
To use IPv6 nameserver addresses.
 2025-03-26 12:32:54 +01:00
Timotej Lazar f9f71bb337 firewall: don’t import or advertise subnets for inside networks 
This is part two to commit 3b3e759c.
 2025-03-26 12:32:54 +01:00
Timotej Lazar cafa938da3 firewall: consolidate IPv4 and IPv6 address families for BGP 2025-03-26 12:32:50 +01:00
Timotej Lazar 8a0113ea49 leaf: consolidate IPv4 and IPv6 address families for BGP 
Same applies to spine.
 2025-03-26 01:33:33 +01:00
Timotej Lazar d667a38553 exit: consolidate IPv4 and IPv6 address families 
In BGP router configuration for default and inside VRFs.
 2025-03-26 01:28:08 +01:00
Timotej Lazar 3b3e759cc1 exit: don’t import or advertise subnets for inside networks 
This was here to maybe allow someone to advertise a subset of L2 IPs for
an inside (office) network over BGP from a datacenter server. This was
never used and wouldn’t work right in any case since those IPs wouldn’t
be reachable from L2 hosts on that network.

So allow advertising and VRF-importing only entire (/24) networks.
 2025-03-24 18:15:53 +01:00
Timotej Lazar 0ed4973894 access: get mgmt gateway from custom field on prefix 
Mainly so we can drop the gateway custom field from NetBox interfaces.
 2025-03-24 18:13:55 +01:00
Timotej Lazar 9c35f0fa25 fabric: get mgmt gateway from custom field on prefix 
Mainly so we can add IPv6 addresses to mgmt interfaces.
 2025-03-24 18:13:20 +01:00
Timotej Lazar bc93f26a21 fabric: disable snmpd 
And reduce CPU utilization from 150% to ~30%.
 2025-03-23 12:35:23 +01:00
Timotej Lazar 60dd62c00f access: increase command timeout when setting config 
Some options take a while to enable. Like port-security.
 2025-03-18 14:40:18 +01:00
Timotej Lazar 08a0cdd994 exit: update package cache before installing stuff 2025-03-18 14:17:59 +01:00
Timotej Lazar c0156b4899 exit: bump keepalive version 
And drop unneeded (also nonexistent) dependency.
 2025-03-18 14:17:31 +01:00
Timotej Lazar 07fa350ae6 access: enable port-security 
Should prevent one way of network coming down. Again.
 2025-03-17 15:41:48 +01:00
Timotej Lazar fe30b550de fabric: add some Cumulus defaults to mgmt interface config 2025-03-14 15:30:44 +01:00
Timotej Lazar dd30e2ab1c access: support native VLAN on tagged interfaces for D-Link switches 2025-02-10 17:07:32 +01:00
Timotej Lazar f57023b0f0 firewall: allow connections from master over IPv6 
Oops, missed a spot.
 2024-12-20 15:18:36 +01:00
Timotej Lazar 1d97ec2cda exit: remove --giaddr-src option for DHCP relay 
Seems to work OK without it.
 2024-11-09 19:59:11 +01:00
Timotej Lazar de05fd236b access: enable DHCP snooping on D-Link switches 
Use the ifaces_dhcp custom context property to select interfaces where
we should expect DHCP replies.
 2024-11-09 19:58:28 +01:00
Timotej Lazar bbf0798d5c firewall: add more ports to AD service definition 2024-10-04 13:29:39 +02:00
Timotej Lazar 57197d7695 access: set up SNMP user for D-Link switches 2024-10-02 16:04:39 +02:00
Timotej Lazar e51d08c073 access: get switch username from password store 2024-10-02 10:39:12 +02:00
Timotej Lazar a230697846 access: disable HTTP service for D-Link switches 2024-09-30 10:50:50 +02:00
Timotej Lazar 7e02a13144 firewall: forward ICMP(v6) packets 2024-09-21 20:19:55 +02:00
Timotej Lazar f8e8acb521 firewall: expand convenience nftables port sets 
Should probably just allow everything for AD at this point.
 2024-09-21 20:19:24 +02:00
Timotej Lazar 5a9f0ac26a exit: strip own AS prefix from routes received by firewalls 
For some reason routes with own ASN are not imported into default VRF.
Maybe also others. These routes forward packets through the firewalls.
As long as both exits are up this is not a problem, because routes
going to peer exit don’t include this exit’s own ASN.

If the peer goes down, all remaining routes sent by firewalls have our
own ASN and are not imported into default VRF, so L3 servers lose
connectivity to internal networks.

If the exit strips own ASN from received routes, importing works OK.
We strip both our and peer’s ASNs to keep path lengths the same.

This has involved an indecent amount of poking knobs and knobbing
pokes and it might cause other issues elsewhere.
 2024-09-21 16:32:28 +02:00
Timotej Lazar ef1b00adce firewall: update backup route maps 
To match the prefixes that are sent by firewalls.
 2024-09-21 16:31:44 +02:00
Timotej Lazar 6c18e2ff94 firewall: add convenience nftables set for AD ports 
Probably not all of these are necessary. Would be nice to allow
configuring this from the app.
 2024-09-19 16:25:51 +02:00
Timotej Lazar ae1cfd5337 exit: enable forwarding directed broadcasts for WoL 
Must be set in IPv4 sysctls for all interfaces and every input
interface from which broadcasts are sent. These are the virtual
MLAG interfaces (bridge-*-v0), which are created dynamically.

We enable directed broadcasts for (only MLAG) interfaces enumerated by
the ifaces_directed_broadcast value in NetBox device local context.
 2024-09-18 14:27:30 +02:00
Timotej Lazar 6322d5ec97 exit: add routes for VPN IPv4 addresses to outside and default VRFs 
Like commit 7b5980f but for VPN addresses. Also renumber some route
maps to improve consistency.
 2024-09-16 17:20:43 +02:00
Timotej Lazar 6c8309f1c9 exit: leak non-NATted inside routes into default VRF 
So we don’t have to NAT inside our own network. We still firewall.
 2024-09-03 17:15:48 +02:00
Timotej Lazar 103ecae2e7 exit: leak outside routes into default VRF 
So L3 servers can acces L2 servers.
 2024-09-01 12:19:13 +02:00
Timotej Lazar 3caea81896 access: add voice VLAN support 2024-09-01 10:37:11 +02:00
Timotej Lazar c3ff39fe72 firewall: reload nftables in mgmt VRF 
It doesn’t matter for the rules themselves as nft does not do VRFs,
but DNS names can only be resolved there. This is because all nodes
use the same IPs in the default VRF, so DNS replies sent from there go
to the active node.

This allows using DNS names in firewall rules. Not yet sure if that is
actually a good idea.
 2024-08-19 13:54:01 +02:00
Timotej Lazar 5032d1ac84 fabric: fix a template 
This worked. Updated ansible. Then it didn’t.
 2024-08-15 17:22:55 +02:00
Timotej Lazar 14d2e00f0b exit: only send RAs on interfaces with FHRP addresses 
These are the ones we are router for.
 2024-08-13 19:12:29 +02:00
Timotej Lazar 7b5980f871 exit: add routes for internal IPv4 addresses to outside VRF 
Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.
 2024-08-13 19:02:03 +02:00
Timotej Lazar fe8f9161d9 exit: drop redundant and now misleading comment 2024-08-12 11:46:42 +02:00
Timotej Lazar 9a56e48141 exit: allow multiple VLANs per VRF 
Turns out that while Cumulus supports “up to” 255 VRFs, no switch it
runs on supports more than 64. So we have to turn down paranoia and
put internal networks for each tenant in the same VRF.

This commit just ensures VRF definitions are not duplicated on exits.
 2024-08-04 14:12:26 +02:00
Timotej Lazar c239b91d17 Simplify README 2024-08-03 11:48:09 +02:00
Timotej Lazar c741b90981 fabric: disable less-than-sane Cumulus SSH default options 
Why no ed25519 keys?
 2024-07-26 14:27:34 +02:00
Timotej Lazar 82b10e8133 exit: support custom VRF imports 
Ten minutes to set up and ten hours to convince Ansible to not be
quite so retarded. The list2dict filter seems to be the (or another)
missing piece. Now let’s rewrite everything else using it. Or not.
 2024-07-15 14:22:42 +02:00
Timotej Lazar 99aef43574 exit: add DHCP relay for new server 
Really quite shoddy as it is right now. Should get better once the old
server is retired.
 2024-07-14 14:51:23 +02:00