617e0689f1
access: filter some more non-changes from config diff
2025-07-01 09:37:13 +02:00
410a67e05f
Ununlicense
...
Until we actually get permission to distribute this.
2025-07-01 09:32:55 +02:00
a1147a3283
access: disable port-security on trunk ports
...
Because it messes up AP roaming: client MAC will not be learned on the
switch port for the new AP until the old one times out in five minutes.
2025-05-23 12:39:59 +02:00
cf0fb98e4d
firewall: drop a space
2025-05-06 13:17:57 +02:00
899d7122f5
exit: fix handler order
...
Ensure interfaces are reloaded before reloading FRR.
2025-05-06 13:16:59 +02:00
3e1949565a
firewall: increase max connections
...
Apparently we reached the default.
2025-04-16 22:24:01 +02:00
ed0f4b4bff
fabric: make some space
...
Oops, missed a spot.
2025-04-03 18:42:23 +02:00
a4c6ac04fb
ansible: silence pointless warnings
...
Shut up about the discovered python interpreter already.
2025-04-03 17:51:18 +02:00
39284749f2
fabric: clean up formatting for interface templates
...
Hypothetically.
2025-03-27 11:59:06 +01:00
09eb030e32
exit: determine uplink gateway address from interface address
...
So we can actually drop the gateway custom field from NetBox interfaces.
2025-03-27 11:31:40 +01:00
a2d7174829
fabric: clean up switch.intf template
...
Add some comments, simplify some logic.
2025-03-26 22:50:52 +01:00
2f662373e5
firewall: get mgmt gateway from custom field on prefix
...
Mainly so we can add IPv6 mgmt addresses and drop the gateway custom
field from NetBox interfaces.
2025-03-26 19:20:03 +01:00
6040a3ae84
access: round allowed MACs on a port down to 64
...
Haven’t seen anyone use more than ten.
2025-03-26 19:12:15 +01:00
d3196a48c2
firewall: set up resolv.conf
...
To use IPv6 nameserver addresses.
2025-03-26 12:32:54 +01:00
f9f71bb337
firewall: don’t import or advertise subnets for inside networks
...
This is part two to commit 3b3e759c
2025-03-26 12:32:54 +01:00
cafa938da3
firewall: consolidate IPv4 and IPv6 address families for BGP
2025-03-26 12:32:50 +01:00
8a0113ea49
leaf: consolidate IPv4 and IPv6 address families for BGP
...
Same applies to spine.
2025-03-26 01:33:33 +01:00
d667a38553
exit: consolidate IPv4 and IPv6 address families
...
In BGP router configuration for default and inside VRFs.
2025-03-26 01:28:08 +01:00
3b3e759cc1
exit: don’t import or advertise subnets for inside networks
...
This was here to maybe allow someone to advertise a subset of L2 IPs for
an inside (office) network over BGP from a datacenter server. This was
never used and wouldn’t work right in any case since those IPs wouldn’t
be reachable from L2 hosts on that network.
So allow advertising and VRF-importing only entire (/24) networks.
2025-03-24 18:15:53 +01:00
0ed4973894
access: get mgmt gateway from custom field on prefix
...
Mainly so we can drop the gateway custom field from NetBox interfaces.
2025-03-24 18:13:55 +01:00
9c35f0fa25
fabric: get mgmt gateway from custom field on prefix
...
Mainly so we can add IPv6 addresses to mgmt interfaces.
2025-03-24 18:13:20 +01:00
bc93f26a21
fabric: disable snmpd
...
And reduce CPU utilization from 150% to ~30%.
2025-03-23 12:35:23 +01:00
60dd62c00f
access: increase command timeout when setting config
...
Some options take a while to enable. Like port-security.
2025-03-18 14:40:18 +01:00
08a0cdd994
exit: update package cache before installing stuff
2025-03-18 14:17:59 +01:00
c0156b4899
exit: bump keepalive version
...
And drop unneeded (also nonexistent) dependency.
2025-03-18 14:17:31 +01:00
07fa350ae6
access: enable port-security
...
Should prevent one way of network coming down. Again.
2025-03-17 15:41:48 +01:00
fe30b550de
fabric: add some Cumulus defaults to mgmt interface config
2025-03-14 15:30:44 +01:00
dd30e2ab1c
access: support native VLAN on tagged interfaces for D-Link switches
2025-02-10 17:07:32 +01:00
f57023b0f0
firewall: allow connections from master over IPv6
...
Oops, missed a spot.
2024-12-20 15:18:36 +01:00
1d97ec2cda
exit: remove --giaddr-src option for DHCP relay
...
Seems to work OK without it.
2024-11-09 19:59:11 +01:00
de05fd236b
access: enable DHCP snooping on D-Link switches
...
Use the ifaces_dhcp custom context property to select interfaces where
we should expect DHCP replies.
2024-11-09 19:58:28 +01:00
bbf0798d5c
firewall: add more ports to AD service definition
2024-10-04 13:29:39 +02:00
57197d7695
access: set up SNMP user for D-Link switches
2024-10-02 16:04:39 +02:00
e51d08c073
access: get switch username from password store
2024-10-02 10:39:12 +02:00
a230697846
access: disable HTTP service for D-Link switches
2024-09-30 10:50:50 +02:00
7e02a13144
firewall: forward ICMP(v6) packets
2024-09-21 20:19:55 +02:00
f8e8acb521
firewall: expand convenience nftables port sets
...
Should probably just allow everything for AD at this point.
2024-09-21 20:19:24 +02:00
5a9f0ac26a
exit: strip own AS prefix from routes received by firewalls
...
For some reason routes with own ASN are not imported into default VRF.
Maybe also others. These routes forward packets through the firewalls.
As long as both exits are up this is not a problem, because routes
going to peer exit don’t include this exit’s own ASN.
If the peer goes down, all remaining routes sent by firewalls have our
own ASN and are not imported into default VRF, so L3 servers lose
connectivity to internal networks.
If the exit strips own ASN from received routes, importing works OK.
We strip both our and peer’s ASNs to keep path lengths the same.
This has involved an indecent amount of poking knobs and knobbing
pokes and it might cause other issues elsewhere.
2024-09-21 16:32:28 +02:00
ef1b00adce
firewall: update backup route maps
...
To match the prefixes that are sent by firewalls.
2024-09-21 16:31:44 +02:00
6c18e2ff94
firewall: add convenience nftables set for AD ports
...
Probably not all of these are necessary. Would be nice to allow
configuring this from the app.
2024-09-19 16:25:51 +02:00
ae1cfd5337
exit: enable forwarding directed broadcasts for WoL
...
Must be set in IPv4 sysctls for all interfaces and every input
interface from which broadcasts are sent. These are the virtual
MLAG interfaces (bridge-*-v0), which are created dynamically.
We enable directed broadcasts for (only MLAG) interfaces enumerated by
the ifaces_directed_broadcast value in NetBox device local context.
2024-09-18 14:27:30 +02:00
6322d5ec97
exit: add routes for VPN IPv4 addresses to outside and default VRFs
...
Like commit 7b5980f
2024-09-16 17:20:43 +02:00
6c8309f1c9
exit: leak non-NATted inside routes into default VRF
...
So we don’t have to NAT inside our own network. We still firewall.
2024-09-03 17:15:48 +02:00
103ecae2e7
exit: leak outside routes into default VRF
...
So L3 servers can acces L2 servers.
2024-09-01 12:19:13 +02:00
3caea81896
access: add voice VLAN support
2024-09-01 10:37:11 +02:00
c3ff39fe72
firewall: reload nftables in mgmt VRF
...
It doesn’t matter for the rules themselves as nft does not do VRFs,
but DNS names can only be resolved there. This is because all nodes
use the same IPs in the default VRF, so DNS replies sent from there go
to the active node.
This allows using DNS names in firewall rules. Not yet sure if that is
actually a good idea.
2024-08-19 13:54:01 +02:00
5032d1ac84
fabric: fix a template
...
This worked. Updated ansible. Then it didn’t.
2024-08-15 17:22:55 +02:00
14d2e00f0b
exit: only send RAs on interfaces with FHRP addresses
...
These are the ones we are router for.
2024-08-13 19:12:29 +02:00
7b5980f871
exit: add routes for internal IPv4 addresses to outside VRF
...
Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.
2024-08-13 19:02:03 +02:00
fe8f9161d9
exit: drop redundant and now misleading comment
2024-08-12 11:46:42 +02:00
