Commit graph

77 commits

Author SHA1 Message Date
Timotej Lazar a230697846 access: disable HTTP service for D-Link switches 2024-09-30 10:50:50 +02:00
Timotej Lazar 7e02a13144 firewall: forward ICMP(v6) packets 2024-09-21 20:19:55 +02:00
Timotej Lazar f8e8acb521 firewall: expand convenience nftables port sets
Should probably just allow everything for AD at this point.
2024-09-21 20:19:24 +02:00
Timotej Lazar 5a9f0ac26a exit: strip own AS prefix from routes received by firewalls
For some reason routes with own ASN are not imported into default VRF.
Maybe also others. These routes forward packets through the firewalls.
As long as both exits are up this is not a problem, because routes
going to peer exit don’t include this exit’s own ASN.

If the peer goes down, all remaining routes sent by firewalls have our
own ASN and are not imported into default VRF, so L3 servers lose
connectivity to internal networks.

If the exit strips own ASN from received routes, importing works OK.
We strip both our and peer’s ASNs to keep path lengths the same.

This has involved an indecent amount of poking knobs and knobbing
pokes and it might cause other issues elsewhere.
2024-09-21 16:32:28 +02:00
Timotej Lazar ef1b00adce firewall: update backup route maps
To match the prefixes that are sent by firewalls.
2024-09-21 16:31:44 +02:00
Timotej Lazar 6c18e2ff94 firewall: add convenience nftables set for AD ports
Probably not all of these are necessary. Would be nice to allow
configuring this from the app.
2024-09-19 16:25:51 +02:00
Timotej Lazar ae1cfd5337 exit: enable forwarding directed broadcasts for WoL
Must be set in IPv4 sysctls for all interfaces and every input
interface from which broadcasts are sent. These are the virtual
MLAG interfaces (bridge-*-v0), which are created dynamically.

We enable directed broadcasts for (only MLAG) interfaces enumerated by
the ifaces_directed_broadcast value in NetBox device local context.
2024-09-18 14:27:30 +02:00
Timotej Lazar 6322d5ec97 exit: add routes for VPN IPv4 addresses to outside and default VRFs
Like commit 7b5980f but for VPN addresses. Also renumber some route
maps to improve consistency.
2024-09-16 17:20:43 +02:00
Timotej Lazar 6c8309f1c9 exit: leak non-NATted inside routes into default VRF
So we don’t have to NAT inside our own network. We still firewall.
2024-09-03 17:15:48 +02:00
Timotej Lazar 103ecae2e7 exit: leak outside routes into default VRF
So L3 servers can acces L2 servers.
2024-09-01 12:19:13 +02:00
Timotej Lazar 3caea81896 access: add voice VLAN support 2024-09-01 10:37:11 +02:00
Timotej Lazar c3ff39fe72 firewall: reload nftables in mgmt VRF
It doesn’t matter for the rules themselves as nft does not do VRFs,
but DNS names can only be resolved there. This is because all nodes
use the same IPs in the default VRF, so DNS replies sent from there go
to the active node.

This allows using DNS names in firewall rules. Not yet sure if that is
actually a good idea.
2024-08-19 13:54:01 +02:00
Timotej Lazar 5032d1ac84 fabric: fix a template
This worked. Updated ansible. Then it didn’t.
2024-08-15 17:22:55 +02:00
Timotej Lazar 14d2e00f0b exit: only send RAs on interfaces with FHRP addresses
These are the ones we are router for.
2024-08-13 19:12:29 +02:00
Timotej Lazar 7b5980f871 exit: add routes for internal IPv4 addresses to outside VRF
Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.
2024-08-13 19:02:03 +02:00
Timotej Lazar fe8f9161d9 exit: drop redundant and now misleading comment 2024-08-12 11:46:42 +02:00
Timotej Lazar 9a56e48141 exit: allow multiple VLANs per VRF
Turns out that while Cumulus supports “up to” 255 VRFs, no switch it
runs on supports more than 64. So we have to turn down paranoia and
put internal networks for each tenant in the same VRF.

This commit just ensures VRF definitions are not duplicated on exits.
2024-08-04 14:12:26 +02:00
Timotej Lazar c239b91d17 Simplify README 2024-08-03 11:48:09 +02:00
Timotej Lazar c741b90981 fabric: disable less-than-sane Cumulus SSH default options
Why no ed25519 keys?
2024-07-26 14:27:34 +02:00
Timotej Lazar 82b10e8133 exit: support custom VRF imports
Ten minutes to set up and ten hours to convince Ansible to not be
quite so retarded. The list2dict filter seems to be the (or another)
missing piece. Now let’s rewrite everything else using it. Or not.
2024-07-15 14:22:42 +02:00
Timotej Lazar 99aef43574 exit: add DHCP relay for new server
Really quite shoddy as it is right now. Should get better once the old
server is retired.
2024-07-14 14:51:23 +02:00
Timotej Lazar bb41d406f8 exit, firewall: don’t hardcode prefix length 2024-07-10 16:57:08 +02:00
Timotej Lazar 2327b42412 fabric: disable nvue-startup service 2024-07-04 15:36:02 +02:00
Timotej Lazar 48b987180a Move firewall_master role to servers repo 2024-07-04 15:35:41 +02:00
Timotej Lazar ff1abcb508 firewall: drop a line
It was rubbish.
2024-06-20 20:54:42 +02:00
Timotej Lazar 668af8bdb6 firewall: use a handler to reboot 2024-05-19 10:10:02 +02:00
Timotej Lazar 0e9dac6985 fabric: support arbitrary port breakouts
Not that we use anything but 1x and 4x. Mainly done so I can drop
nonexistent (because they have been broken out) interfaces from NetBox.
2024-05-13 17:44:39 +02:00
Timotej Lazar 16f34c4502 Don’t gather facts when setting them 2024-05-13 17:39:47 +02:00
Timotej Lazar 8c82af23e4 firewall: also configure VPN forwards in the app
There we can define forwards only for networks with actual VPN users.
2024-05-03 11:27:27 +02:00
Timotej Lazar 7656c05b2d Revert "firewall: configure NAT from NetBox data"
Changed my mind. All NAT and VPN is configured from the app now.
2024-04-30 20:59:49 +02:00
Timotej Lazar 8a9d47f176 firewall: configure NAT from NetBox data
This is dynamic NAT for (mostly) physical networks. NAT for custom
prefixes can still be defined in the app.
2024-04-28 15:54:01 +02:00
Timotej Lazar 457ab7d3b7 Query prefixes once for all hosts
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.

This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
2024-04-28 12:14:05 +02:00
Timotej Lazar 1c0709a6a6 fabric: allow all VLANs on bridge
Don’t try to guess what should be allowed because not all switch links
are tagged in NetBox. For now we limit mainly on access switches.
2024-04-27 11:30:20 +02:00
Timotej Lazar c07c03a430 Set default inventory 2024-04-27 11:04:02 +02:00
Timotej Lazar 2443a90bc5 fabric: use FHRP groups for virtual router IPs
More realistic- and supported-like and also avoids duplicated gateway
addresses.
2024-04-14 15:15:48 +02:00
Timotej Lazar db397cb2b1 exit: store VLAN interface addresses in NetBox
… instead of generating them from prefixes. A NetBox script can be
used to create and configure all necessary data for a new VLAN.

Instead of VLAN roles “inside" and “outside” we now create separate
VRFs for inside VLANs to match the actual exit/firewall configuration.
The “outside” VRF is for all VLANs that are directly accessible from
the internet.
2024-04-10 14:03:50 +02:00
Timotej Lazar ece3b8a377 exit: sort prefixes by family values
Because I made some seemingly unrelated changes in NetBox and they all
got flipped‐turned upside down.
2024-04-09 10:47:51 +02:00
Timotej Lazar 000f625988 Move VM secrets to a separate password store directory 2024-04-08 15:06:18 +02:00
Timotej Lazar 6dcae194d7 firewall: accept VPN connections from inside also
People tend to leave WireGuard tunnels active and we don’t want things
to become unreachable when moving to one of the inside networks.
2024-04-08 15:03:29 +02:00
Timotej Lazar c479f90669 access: move switch config templates back to this repo
Let’s keep it simple. Also editing templates in NetBox is a pain.
2024-04-08 14:45:39 +02:00
Timotej Lazar 1ffdea8e43 firewall: fix duplicate space in template 2024-04-05 12:00:55 +02:00
Timotej Lazar f489555ba1 access: fix password store subdirectory for switches 2024-04-05 12:00:22 +02:00
Timotej Lazar 7ef4023424 firewall: add known IP ranges in network ipset definitions
This data should only change in NetBox, so no point deploying it from
firewall master. Sometimes the first approach is the best approach.
2024-03-19 09:46:26 +01:00
Timotej Lazar aa82e5aa18 firewall_master: don’t define ipsets for VLAN groups
Was a harebrained idea from the start.
2024-03-19 09:45:23 +01:00
Timotej Lazar a97d133873 fabric: don’t set bond slaves if there are none
Not that that should happen except by mistake.
2024-03-05 12:46:26 +01:00
Timotej Lazar be0cc49b33 access: ignore more non‐changes
Should probably move this somewhere more listy if it keeps growing.
2024-03-04 10:12:38 +01:00
Timotej Lazar dbc00fd448 fabric: add custom field on dcim.Interface for bond mode 2024-02-27 13:35:29 +01:00
Timotej Lazar ce7c1bd49e fabric: consolidate interface templates
Mostly to avoid special‐casing bond interfaces, and to support BGP
connections over virtual interfaces.
2024-02-27 13:35:29 +01:00
Timotej Lazar 5381fecaa4 fabric: fix check for peer switch 2024-02-27 13:35:29 +01:00
Timotej Lazar 65c16dbc63 Drop BGP update-delay option
Dropped from Cumulus manual and advised by seniors.
2024-02-27 13:35:29 +01:00