Add fsol02.home.foo.sh

group_vars/fsol.yml

@@ -0,0 +1,12 @@
+---
+network_carp_interfaces:
+  - device: vio2
+    vhid: 145
+    ipaddr: 37.16.96.145
+    netmask: 255.255.255.240
+    pass: "{{ carp145_pass }}"
+    advskew: 128
+network_dns_servers: [172.20.20.10, 172.20.21.1, 172.20.21.2]
+
+# use custom firewall config
+firewall_src: pf.conf.gw_fsol

host_vars/fsol02.home.foo.sh.yml

@@ -0,0 +1,15 @@
+---
+vmhost: vmhost02.home.foo.sh
+network_interfaces:
+  - device: vio0
+    vlan: 20
+    mac: 52:54:00:ac:dc:40
+    ipaddr: 172.20.21.64
+    netmask: 255.255.252.0
+    proto: static
+  - device: vio1
+    vlan: 103
+    proto: dhcp
+  - device: vio2
+    vlan: 102
+    proto: none

hosts

@@ -4,6 +4,9 @@ adm01.home.foo.sh
 [collab]
 collab01.home.foo.sh
 
+[fsol]
+fsol02.home.foo.sh
+
 [git]
 git02.home.foo.sh
 
@@ -62,6 +65,7 @@ ldap
 collab
 
 [openbsd:children]
+fsol
 gw
 log
 ns

playbooks/fsol.yml

@@ -0,0 +1,32 @@
+---
+- import_playbook: "include/deploy-kvm-guest.yml myhosts=fsol"
+
+- name: configure instance
+  hosts: fsol
+  user: root
+  gather_facts: true
+
+  vars_files:
+    - "{{ ansible_private }}/vars.yml"
+
+  tasks:
+    - name: enable ip forwarding
+      sysctl:
+        name: "{{ item }}"
+        sysctl_set: true
+        value: "1"
+      with_items:
+        - net.inet.ip.forwarding
+        - net.inet6.ip6.forwarding
+    - name: use manual dns servers
+      copy:
+        dest: /etc/dhclient.conf
+        content: "ignore domain-name-servers, domain-name;\n"
+        mode: 0644
+        owner: root
+        group: "{{ ansible_wheel }}"
+
+  roles:
+    - base
+    - bird
+    - openvpn

roles/pf/files/pf.conf.gw_fsol

@@ -0,0 +1,55 @@
+# interfaces
+int_if = "vio0"
+ext_if = "vio1"
+dmz_if = "vio2"
+fsol_if = "tap0"
+
+# networks
+int_net = "(" $int_if:network ")"
+ext_net = "(" $ext_if:network ")"
+dmz_net = "(" carp145:network ")"
+
+# my addrss
+int_me = "(" $int_if:0 ")"
+ext_me = "(" $ext_if:0 ")"
+
+# options
+set block-policy return
+set loginterface $int_if
+set skip on lo0
+
+# assemble fragmented packets
+match in all scrub (no-df)
+
+# allow icmp
+pass quick inet proto icmp
+pass quick inet6 proto icmp6
+
+# antispoof at this point
+antispoof for lo0
+antispoof for vio0
+
+# admin connection (internal)
+pass in quick on $int_if proto tcp from $int_net to self port ssh
+
+# internal network
+block in quick from any to self
+pass out quick on $int_if from $int_me to $int_net
+
+# dmz network
+pass in quick on $dmz_if inet from $dmz_net to any
+pass out quick on $dmz_if inet from any to $dmz_net
+
+# allow myself to communicate dna network but don't use pfsync
+pass out quick on $ext_if from self to any
+
+# fsol (router) network
+pass in quick on $fsol_if proto ospf from any to any
+pass out quick on $fsol_if proto ospf from self to any
+pass in quick on $fsol_if inet from any to $dmz_net
+pass out quick on $fsol_if inet from $dmz_net to any
+pass out quick on $fsol_if inet from self to any
+
+# drop rest
+block in quick log all
+block out quick log all