diff --git a/bundles/network/items.py b/bundles/network/items.py index 2f9ce5b..3ba4ddf 100644 --- a/bundles/network/items.py +++ b/bundles/network/items.py @@ -3,6 +3,9 @@ for network_name, network_conf in node.metadata.get('network').items(): svc_systemd[f'qdisc-{network_name}.service'] = { 'enabled': True, 'running': None, + 'needs': { + f'file:/usr/local/lib/systemd/system/qdisc-{network_name}.service', + }, } actions[f'qdisc-{network_name}.service_restart_workaround'] = { 'command': 'true', diff --git a/bundles/nftables/files/nftables.conf b/bundles/nftables/files/nftables.conf index 92d59ba..2ef86f5 100644 --- a/bundles/nftables/files/nftables.conf +++ b/bundles/nftables/files/nftables.conf @@ -2,6 +2,23 @@ flush ruleset +% if nat: +table ip nat { + + # NAT + + chain postrouting { + type nat hook postrouting priority 100 + policy accept + + # rules +% for rule in sorted(nat): + ${rule} +% endfor + } +} +% endif + table inet filter { # INPUT diff --git a/bundles/nftables/items.py b/bundles/nftables/items.py index bc221f9..65e1680 100644 --- a/bundles/nftables/items.py +++ b/bundles/nftables/items.py @@ -6,6 +6,7 @@ files = { 'input': node.metadata.get('nftables/input'), 'forward': node.metadata.get('nftables/forward'), 'output': node.metadata.get('nftables/output'), + 'nat': node.metadata.get('nftables/nat'), }, 'triggers': [ 'svc_systemd:nftables.service:reload', diff --git a/bundles/pppoe/REAMDE.md b/bundles/pppoe/REAMDE.md new file mode 100644 index 0000000..258b552 --- /dev/null +++ b/bundles/pppoe/REAMDE.md @@ -0,0 +1,36 @@ +# Firtzbox + +Internet > Zugangsdaten + +Internetanbieter +- weitere Internetanbieter +- anderer Internetanbieter +- Name: "My PPPOE" (nicht leer lassen) + +Anschluss +(x) Anschluss an einen DSL-Anschluss + +Zugangsdaten +(x) Nein + +Verbindungseinstellungen + +[x] VLAN für den Internetanschluss verwenden +VLAN-ID: 7 +PBit: 0 + +DSL-ATM-Einstellungen +VPI: 1 +VCI: 32 + +Kapselung +(x) Routed Bridge Encapsulation +[x] IP-Adresse automatisch über DHCP beziehen +DHCP-Hostname: fritz.box + +PPPoE-Passthrough +[x] Angeschlossene Netzwerkgeräte dürfen zusätzlich ihre eigene Internetverbindung aufbauen (nicht empfohlen) + +[ ] Internetzugang nach dem "Übernehmen" prüfen + +-> Danach muss bei "Internetanbieter" statt "weitere Internetanbieter" der gewählte Name stehen, also zB "My PPPOE" \ No newline at end of file diff --git a/bundles/pppoe/files/chap-secrets b/bundles/pppoe/files/chap-secrets new file mode 100644 index 0000000..4744212 --- /dev/null +++ b/bundles/pppoe/files/chap-secrets @@ -0,0 +1,3 @@ +# Secrets for authentication using CHAP +# client server secret IP addresses +"${user}" * "${secret}" * diff --git a/bundles/pppoe/files/isp b/bundles/pppoe/files/isp new file mode 100644 index 0000000..f5fe185 --- /dev/null +++ b/bundles/pppoe/files/isp @@ -0,0 +1,10 @@ +linkname ppp0 +noauth +defaultroute +replacedefaultroute +persist +maxfail 0 +lcp-echo-interval 20 +lcp-echo-failure 3 +plugin rp-pppoe.so enp2s0 +user "${user}" diff --git a/bundles/pppoe/items.py b/bundles/pppoe/items.py new file mode 100644 index 0000000..625fe82 --- /dev/null +++ b/bundles/pppoe/items.py @@ -0,0 +1,36 @@ +files = { + '/etc/modules-load.d/pppoe.conf': { + 'content': 'pppoe\npppox\nppp_generic', + 'mode': '0644', + }, + '/etc/ppp/peers/isp': { + 'content_type': 'mako', + 'mode': '0644', + 'context': { + 'user': node.metadata.get('pppoe/user'), + }, + 'needs': { + 'pkg_apt:pppoe', + }, + }, + '/etc/ppp/chap-secrets': { + 'content_type': 'mako', + 'mode': '0600', + 'context': { + 'user': node.metadata.get('pppoe/user'), + 'secret': node.metadata.get('pppoe/secret'), + }, + 'needs': { + 'pkg_apt:pppoe', + }, + }, +} + +svc_systemd = { + 'pppoe-isp.service': { + 'needs': { + 'file:/etc/ppp/peers/isp', + 'file:/etc/ppp/chap-secrets', + }, + }, +} diff --git a/bundles/pppoe/metadata.py b/bundles/pppoe/metadata.py new file mode 100644 index 0000000..fd8713e --- /dev/null +++ b/bundles/pppoe/metadata.py @@ -0,0 +1,29 @@ +defaults = { + 'apt': { + 'packages': { + 'pppoe': {}, + }, + }, + 'nftables': { + 'nat': { + 'oifname ppp0 masquerade', + }, + }, + 'systemd': { + 'units': { + 'pppoe-isp.service': { + 'Unit': { + 'Description': 'PPPoE Internet Connection', + 'After': 'network.target', + }, + 'Service': { + 'Type': 'forking', + 'ExecStart': '/usr/sbin/pppd call isp', + 'Restart': 'on-failure', + 'RestartSec': 5, + }, + }, + }, + }, + +} diff --git a/nodes/home.router.py b/nodes/home.router.py index 0f257e0..f167623 100644 --- a/nodes/home.router.py +++ b/nodes/home.router.py @@ -11,6 +11,7 @@ 'bundles': [ 'kea-dhcpd', 'wireguard', + 'pppoe', ], 'metadata': { 'id': '1d6a43e5-858c-42f9-9c40-ab63d61c787c', @@ -28,12 +29,9 @@ 'dhcp_server': True, }, 'external': { - 'type': 'vlan', - 'vlan_interface': 'internal', - 'id': 3, - 'ipv4': '10.0.99.126/24', - 'gateway4': '10.0.99.1', - 'qdisc': 'cake bandwidth 40Mbit diffserv4', + 'interface': 'enp2s0', + 'ipv4': '10.0.98.2/24', + #'qdisc': 'cake bandwidth 35Mbit diffserv4', }, 'proxmox': { 'type': 'vlan', @@ -61,6 +59,10 @@ 'master_node': 'htz.mails', 'hostname': 'home.resolver.name', }, + 'pppoe': { + 'user': '!decrypt:encrypt$gAAAAABocUfodLqCBKPPN7H9S64yJ7kRddtaWI0nQU2oklPMEjBhMsir4NL2yjkcHXAN-Ozqn6FCokyE1AL8ek3c5CqAvd83jkxZytp-oclrKqUD9uhUCy4=', + 'secret': '!decrypt:encrypt$gAAAAABocUhmDqFZsyHYBIP2qdMFIS1eWT_bPdyv98cHzIgeKFAxDfcCrVJwDxVPFDDMa_7UT76HDJLvtdYQ8mFl2RL0yR8k2A==' + }, 'sysctl': { 'net': { 'ipv4': {