gateway config

ansible.cfg

+[ssh_connection]
+pipelining = True

group_vars/all.yml

+radvd_prefixes:
+  - fdef:ffc0:3dd7::/64
+  - 2001:67c:2d50::/64
+dhcpd_subnet: 10.130.0.0
+dhcpd_netmask: 255.255.240.0

host_vars/burgtor.yml

+ip4: 10.130.0.255
+ip6: 2001:67c:2d50::e01
+ip6_ula: fdef:ffc0:3dd7::e01
+fastd_mac: 52:54:00:f3:62:d9
+fastd_mac_2: ea:af:13:66:6d:71
+fastd_gw_mac: 52:54:00:f3:62:da
+freifunk_mac: 52:54:00:ee:5c:d7
+dhcpd_start: 10.130.12.63
+dhcpd_end: 10.130.15.254
+snat_dev: ffrhein-+
+snat_ip4: 185.66.193.32
+icvpn_name: luebeck2
+icvpn_ip4: 10.207.0.131
+icvpn_ip6: fec0::a:cf:0:83
+units_enable:
+  - "'fastd@dn42\\x2dchaos.service'"

host_vars/holstentor.yml

+ip4: 10.130.0.253
+ip6: 2001:67c:2d50::c01
+ip6_ula: fdef:ffc0:3dd7::c01
+fastd_mac: d6:89:49:08:f6:9d
+fastd_mac_2: ce:69:95:f0:a9:53
+fastd_gw_mac: d6:89:49:08:f6:9e
+freifunk_mac: 52:54:00:0c:bb:eb
+dhcpd_start: 10.130.4.191
+dhcpd_end: 10.130.8.126
+snat_dev: ffrhein-+
+snat_ip4: 185.66.193.33
+icvpn_name: luebeck1
+icvpn_ip4: 10.207.0.130
+icvpn_ip6: fec0::a:cf:0:82
+units_enable:
+  - "'fastd@dn42\\x2dchaos.service'"

host_vars/huextertor.yml

+ip4: 10.130.0.252
+ip6: 2001:67c:2d50::801
+ip6_ula: fdef:ffc0:3dd7::801
+fastd_mac: d2:d0:93:63:f7:da
+fastd_mac_2: 66:3a:16:58:af:5c
+fastd_gw_mac: d2:d0:93:63:f7:db
+freifunk_mac: 6e:e4:d2:8a:3b:63
+dhcpd_start: 10.130.1.0
+dhcpd_end: 10.130.4.190
+units_enable:
+  - openvpn@hideio.service

host_vars/muehlentor.yml

+ip4: 10.130.0.254
+ip6: 2001:67c:2d50::a01
+ip6_ula: fdef:ffc0:3dd7::a01
+fastd_mac: 26:9c:57:9b:5c:b2
+fastd_mac_2: 6a:0a:8d:97:50:69
+fastd_gw_mac: 26:9c:57:9b:5c:b3
+freifunk_mac: de:ad:ca:fe:46:1d
+dhcpd_start: 10.130.8.127
+dhcpd_end: 10.130.12.62
+units_enable:
+  - openvpn@hideio.service

hosts

+[gateways]
+burgtor ansible_ssh_host=burgtor.luebeck.freifunk.net
+holstentor ansible_ssh_host=holstentor.luebeck.freifunk.net
+muehlentor ansible_ssh_host=muehlentor.luebeck.freifunk.net
+huextertor ansible_ssh_host=huextertor.luebeck.freifunk.net
+
+[gateways:vars]
+ansible_python_interpreter=/usr/bin/env python2

playbook.yml

+---
+- hosts: all
+  sudo: yes
+  roles:
+    - base
+
+- hosts: burgtor:holstentor
+  sudo: yes
+  roles:
+    - icvpn
+    - ffrhein-uplink

roles/base/files/bird/base/bird.conf

+table peering;
+table kernelcopy;
+table mesh;
+
+protocol device {
+	scan time 10;
+}
+
+# host configuration
+#####################
+
+include "bird_host.conf";
+
+# constants
+############
+
+define OWNAS = 201173;
+define OWNMAGIC = 42;
+define KERNEL_TABLE = ipt_freifunk;
+
+# filter helpers
+#################
+
+function is_default()        { return net ~ [ 0.0.0.0/0          ]; }
+function is_freifunk()       { return net ~ [ 10.0.0.0/8+        ]; }
+function is_dn42()           { return net ~ [ 172.22.0.0/15+, 172.20.0.0/16+ ]; }
+function is_chaosvpn()       { return net ~ [ 172.31.0.0/16+     ]; }
+function is_self_net()       { return net ~ [ 10.130.0.0/16+     ]; }
+function is_self_mesh()      { return net ~ [ 10.130.0.0/20+     ]; }
+function is_self_private()   { return net ~ [ 10.130.64.0/18+    ]; }
+function is_self_mgmt()      { return net ~ [ 10.130.127.224/27+ ]; }
+
+# static routes
+################
+
+protocol static static_mesh {
+	table peering;
+	route 10.130.0.0/16 reject;
+};
+
+protocol static local_mesh {
+	route 10.130.0.0/20 via "freifunk-hl";
+};
+
+protocol static mesh_dn42 {
+  table mesh;
+  route 172.20.0.0/16 reject;
+  route 172.22.0.0/15 reject;
+};
+
+protocol static mesh_freifunk {
+  table mesh;
+  route 10.0.0.0/8 reject;
+};
+
+# 464XLAT
+##########
+
+protocol static static_464xlat {
+  route 10.130.64.0/18 via "nat64";
+}
+
+# Mesh-internal routing
+########################
+
+protocol rip rip_mesh {
+  table mesh;
+	interface "freifunk-hl";
+	import where is_self_private() && !is_self_mgmt();
+	export where !((OWNMAGIC, 1) ~ bgp_community) && !is_self_mesh();
+};
+
+# OSPF between gateways
+########################
+
+protocol ospf ospf_mesh {
+	preference 90;
+	export where !((OWNMAGIC, 1) ~ bgp_community) && proto != "rip_mesh";
+	import all;
+	area 0 {
+		interface "freifunk-hl" {
+			authentication cryptographic;
+			include "password.conf";
+			type nonbroadcast;
+			neighbors {
+				10.130.0.252 eligible; # huextertor
+				10.130.0.253 eligible; # holstentor
+				10.130.0.254 eligible; # muehlentor
+				10.130.0.255 eligible; # burgtor
+			};
+		};
+	};
+};
+
+# Kernel routing tables
+########################
+
+protocol kernel {
+	scan time 20;
+	device routes;
+	import none;
+	export filter {
+		if is_dn42()     then { krt_prefsrc = OWNIP; accept ; }
+		if is_freifunk() then { krt_prefsrc = OWNIP; accept ; }
+		reject;
+	};
+};
+
+protocol kernel {
+	table kernelcopy;
+	kernel table KERNEL_TABLE;
+	scan time 20;
+	device routes;
+	import none;
+	export filter {
+		if is_default()  then accept;
+		if is_dn42()     then { krt_prefsrc = OWNIP; accept ; }
+		if is_freifunk() then { krt_prefsrc = OWNIP; accept ; }
+		reject;
+	};
+}
+
+# plumbing
+###########
+
+protocol pipe {
+	peer table kernelcopy;
+	import none;
+	export all;
+}
+
+protocol pipe {
+	peer table peering;
+	import all;
+	export none;
+}
+
+protocol pipe {
+  peer table mesh;
+  import where source != RTS_STATIC;
+  export where is_default() || is_self_net();
+}
+
+# static routes
+################
+
+protocol static unreachable_default {
+	preference 0;
+	route 0.0.0.0/0 reject;
+}
+
+# Mesh-internal BGP between all gateways
+#########################################
+
+template bgp bgp_ibgp {
+	table peering;
+	local as OWNAS;
+	direct;
+	import all;
+	export filter { bgp_community.add((OWNMAGIC, 1));
+	                if is_default() then reject;
+	                if source = RTS_BGP then accept;
+	                reject;
+	              };
+}
+
+# InterCity VPN peerings
+#########################
+
+template bgp bgp_icvpn {
+	table peering;
+	local as OWNAS;
+	import where (is_freifunk() || is_dn42() || is_chaosvpn()) && !is_self_net();
+	export where (is_freifunk() || is_dn42());
+};
+
+# ffrheinland ipv4
+###################
+
+template bgp bgp_ffrhein {
+	table peering;
+	local as 201173;
+	import all;
+	export where net ~ [185.66.193.32/29+];
+	next hop self;
+}
+
+# DN42 peerings
+################
+
+template bgp bgp_dn42 {
+	table peering;
+	local as OWNAS;
+	import where is_dn42() || is_chaosvpn();
+	export where !is_default();
+};
+
+# Include local configuration
+# '?' instead of 'f' avoids failures when these
+# files do not exist
+################################################
+
+include "bird_local.con?";
+include "bird_ibgp.con?";
+include "bird_icvpn.con?";
+include "bird_ffrhein.con?";

roles/base/files/bird/base/bird6.conf

+table peering;
+table transit;
+table kernelcopy;
+table mesh;
+
+protocol device {
+  scan time 10;
+}
+
+# host configuration
+#####################
+
+include "bird6_host.conf";
+
+# constants
+############
+
+define OWNAS        = 201173;
+define OWNMAGIC     = 42;
+define KERNEL_TABLE = ipt_freifunk;
+
+# ROA table
+############
+
+roa table roa_icvpn {
+  include "roa.ip6";
+}
+
+# filter helpers
+#################
+
+function is_default()     { return net ~ [ ::/0                ]; }
+function is_global()      { return net ~ [ 2000::/3+           ]; }
+function is_ula()         { return net ~ [ fc00::/7{48,64}     ]; }
+function is_freifunk()    { return net ~ [ 2001:bf7::/32+      ]; }
+function is_self_public() { return net ~ [ 2001:67c:2d50::/48+ ]; }
+function is_self_net()    { return net ~ [ fdef:ffc0:3dd7::/48+
+                                         , 2001:67c:2d50::/48+
+                                         ]; }
+function is_self_mesh()   { return net ~ [ fdef:ffc0:3dd7::/64+
+                                         , 2001:67c:2d50::/64+
+                                         ]; }
+
+function is_self_mgmt()   { return net ~ [ 2001:67c:2d50:1::a82:7fe0/123+ ]; }
+
+# filters
+##########
+
+filter bgp_import_filter {
+  if is_self_net() then reject;
+  if is_ula() then accept;
+  if roa_check(roa_icvpn) = ROA_VALID then {
+    accept;
+  } else {
+    print "ROA check failed for ", net, " ASN ", bgp_path.last;
+  }
+  reject;
+}
+
+# static routes
+################
+
+protocol static local_freifunk {
+  table peering;
+  route fdef:ffc0:3dd7::/48 reject;
+  route 2001:67c:2d50::/48 reject;
+}
+
+protocol static local_freifunk_transit {
+  table transit;
+  route 2001:67c:2d50::/48 reject;
+}
+
+protocol static local_mesh {
+  route fdef:ffc0:3dd7::/64 via "freifunk-hl";
+  route 2001:67c:2d50::/64 via "freifunk-hl";
+}
+
+protocol static mesh_ula {
+  table mesh;
+  route fc00::/7 reject;
+}
+
+# 464XLAT
+##########
+
+protocol static static_464xlat {
+  route 2001:67c:2d50:1::/96 via "nat64";
+}
+
+# Mesh-internal routing
+########################
+
+protocol rip rip_mesh {
+  table mesh;
+  interface "freifunk-hl";
+  preference 10;
+  import where is_self_net() && !is_self_mgmt();
+  export where is_self_net() || is_default() || (!((OWNMAGIC, 1) ~ bgp_community) && is_ula()) || source = RTS_STATIC;
+}
+
+# OSPF between gateways
+########################
+
+protocol ospf ospf_mesh {
+	preference 90;
+	export where !((OWNMAGIC, 1) ~ bgp_community) && proto != "rip_mesh";
+	import all;
+	area 0 {
+		interface "freifunk-hl" {
+# OSPFv3 authentication not yet supported by bird
+#			authentication cryptographic;
+#			include "password.conf";
+			type nonbroadcast;
+			neighbors {
+				2001:67c:2d50::801 eligible; # huextertor
+				2001:67c:2d50::a01 eligible; # muehlentor
+				2001:67c:2d50::c01 eligible; # holstentor
+				2001:67c:2d50::e01 eligible; # burgtor
+			};
+		};
+	};
+};
+
+# Kernel routing tables
+########################
+
+protocol kernel {
+  scan time 20;
+  device routes;
+  import none;
+  export filter {
+    if is_ula()      then { krt_prefsrc = ULA_IP;    accept; }
+    if is_self_net() then { krt_prefsrc = PUBLIC_IP; accept; }
+    reject;
+  };
+}
+
+protocol kernel {
+  table kernelcopy;
+  kernel table KERNEL_TABLE;
+  scan time 20;
+  device routes;
+  import none;
+  export all;
+}
+
+# plumbing
+###########
+
+protocol pipe {
+  peer table kernelcopy;
+  import none;
+  export all;
+}
+
+protocol pipe {
+  peer table peering;
+  import all;
+  export none;
+}
+
+protocol pipe {
+  peer table transit;
+  import all;
+  export none;
+}
+
+protocol pipe {
+  peer table mesh;
+  import where source != RTS_STATIC;
+  export where is_default() || is_self_net();
+}
+
+# static routes
+################
+
+protocol static unreachable_default {
+  preference 0;
+  route ::/0 reject;
+}
+
+# Mesh-internal BGP between all gateways
+#########################################
+
+template bgp bgp_ibgp {
+  table peering;
+  local as OWNAS;
+  direct;
+  import all;
+  export filter { bgp_community.add((OWNMAGIC, 1));
+                  if source = RTS_BGP then accept;
+                  reject;
+                };
+}
+
+# InterCity VPN peerings
+#########################
+
+template bgp bgp_icvpn {
+  table peering;
+  local as OWNAS;
+  import keep filtered;
+  import filter bgp_import_filter;
+  export all;
+}
+
+# public IPv6
+##############
+
+template bgp bgp_public {
+  table transit;
+  local as OWNAS;
+  import where !is_self_net() && is_global();
+  export where is_self_public();
+  next hop self;
+}
+
+# DN42 peerings
+################
+
+template bgp bgp_dn42 {
+  table peering;
+  local as OWNAS;
+  import filter bgp_import_filter;
+  export all;
+}
+
+# anycast DNS
+##############
+
+protocol static anycast_dns {
+  route 2001:67c:2d50:1::10.130.127.224/128 via "anycast-dns";
+}
+
+# Include local configuration
+# '?' instead of 'f' avoids failures when these
+# files do not exist
+################################################
+
+include "bird6_local.con?";
+include "bird6_ibgp.con?";
+include "bird6_icvpn.con?";

roles/base/files/bird/base/bird6_ibgp.conf

+protocol bgp bgp_ibgp_huextertor from bgp_ibgp {
+  neighbor 2001:67c:2d50::801 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_muehlentor from bgp_ibgp {
+  neighbor 2001:67c:2d50::a01 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_holstentor from bgp_ibgp {
+  neighbor 2001:67c:2d50::c01 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_burgtor from bgp_ibgp {
+  neighbor 2001:67c:2d50::e01 as OWNAS;
+}

roles/base/files/bird/base/bird_ibgp.conf

+protocol bgp bgp_ibgp_huextertor from bgp_ibgp {
+	neighbor 10.130.0.252 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_holstentor from bgp_ibgp {
+	neighbor 10.130.0.253 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_muehlentor from bgp_ibgp {
+	neighbor 10.130.0.254 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_burgtor from bgp_ibgp {
+	neighbor 10.130.0.255 as OWNAS;
+}

roles/base/files/bird/burgtor/bird6_local.conf

+# public BGP
+#############
+
+protocol bgp ffrhein_fra3 from bgp_public {
+	neighbor 2a03:2260:0:36::1 as 201701;
+}
+
+protocol bgp ffrhein_dus from bgp_public {
+	neighbor 2a03:2260:0:37::1 as 201701;
+}
+
+protocol bgp he from bgp_public {
+	neighbor 2001:470:12:8::1 as 6939;
+}
+
+# dn42
+#######
+
+protocol bgp bgp_dn42_chaos from bgp_dn42 {
+	source address fe80::ac16:fd8c;
+	neighbor fe80::ac16:fd8b%dn42_chaos as 64784;
+}
+
+protocol bgp bgp_dn42_mneme from bgp_dn42 {
+	neighbor 2a01:4f8:200:71e3:5054:ff:feff:cbce as 76112;
+}
+
+protocol bgp bgp_dn42_nbsp_router from bgp_dn42 {
+	source address 2001:67c:2d50::e01;
+	neighbor 2001:67c:2d50::2b as 76129;
+}

roles/base/files/bird/burgtor/bird_local.conf

+# public BGP
+#############
+
+protocol bgp ffrhein_fra3 from bgp_ffrhein {
+	source address 100.64.0.95;
+	neighbor 100.64.0.94 as 201701;
+}
+
+protocol bgp ffrhein_dus from bgp_ffrhein {
+	source address 100.64.0.93;
+	neighbor 100.64.0.92 as 201701;
+}
+
+# dn42
+#######
+
+protocol bgp bgp_dn42_chaos from bgp_dn42 {
+	neighbor 172.22.253.139 as 64784;
+};
+
+protocol bgp bgp_dn42_mneme from bgp_dn42 {
+	neighbor 172.23.190.65 as 76112;
+};
+
+protocol bgp bgp_nbsp_router from bgp_dn42 {
+	neighbor 10.130.0.43 as 76129;
+};

roles/base/files/bird/holstentor/bird6_local.conf

+# public BGP
+#############
+
+protocol bgp ffrhein_ber from bgp_public {
+        neighbor 2a03:2260:0:59::1 as 201701;
+}
+
+protocol bgp ffrhein_fra3 from bgp_public {
+        neighbor 2a03:2260:0:60::1 as 201701;
+}
+
+protocol bgp he from bgp_public {
+        neighbor 2001:470:12:35::1 as 6939;
+}
+
+# dn42
+#######
+
+protocol bgp bgp_dn42_chaos from bgp_dn42 {
+	source address fe80::ac16:fd92;
+	neighbor fe80::ac16:fd91%dn42_chaos as 64784;
+}
+
+protocol bgp bgp_nbsp_router from bgp_dn42 {
+  source address 2001:67c:2d50::c01;
+  neighbor 2001:67c:2d50::2b as 76129;
+}

roles/base/files/bird/holstentor/bird_local.conf

+# public BGP
+#############
+
+protocol bgp ffrhein_ber from bgp_ffrhein {
+        source address 100.64.0.165;
+        neighbor 100.64.0.164 as 201701;
+}
+
+protocol bgp ffrhein_fra3 from bgp_ffrhein {
+        source address 100.64.0.167;
+        neighbor 100.64.0.166 as 201701;
+}
+
+# dn42
+#######
+
+protocol bgp bgp_dn42_chaos from bgp_dn42 {
+        neighbor 172.22.253.145 as 64784;
+}
+
+protocol bgp bgp_dn42_nbsp_router from bgp_dn42 {
+        neighbor 10.130.0.43 as 76129;
+}

roles/base/files/bird/huextertor/bird6_local.conf

+# public BGP
+#############
+
+protocol bgp ffhh_wende0 from bgp_public {
+        neighbor 2a03:2267:ffff:b01::1 as 49009;
+}

roles/base/files/bird/huextertor/bird_local.conf

+# default routes
+#################
+
+protocol static default_route_hideio {
+	route 0.0.0.0/0 via "hideio";
+}

roles/base/files/bird/muehlentor/bird6_local.conf

+# public BGP
+#############
+

roles/base/files/bird/muehlentor/bird_local.conf

+# default routes
+#################
+
+protocol static default_route {
+	route 0.0.0.0/0 via "hideio";
+}