Start working on replicated fsol gw

* Add fsol01 host * Move everything to fsol01 for now * Add pfsync interface * Try to fix firewall rules with correct no-sync options
2021-03-16 22:41:58 +00:00 · 2021-03-16 22:41:58 +00:00 · 55855d7c15
commit 55855d7c15
parent d41d59a0d4
5 changed files with 38 additions and 7 deletions
--- a/group_vars/fsol.yml
+++ b/group_vars/fsol.yml
@ -1,6 +1,6 @@
 ---
 network_carp_interfaces:
-  - device: vio2
+  - device: vio3
    vhid: 145
    ipaddr: 37.16.96.145
    netmask: 255.255.255.240
--- a/host_vars/fsol01.home.foo.sh.yml
+++ b/host_vars/fsol01.home.foo.sh.yml
@ -0,0 +1,21 @@
+---
+vmhost: vmhost01.home.foo.sh
+network_interfaces:
+  - device: vio0
+    vlan: 20
+    mac: 52:54:00:ac:dc:3f
+    ipaddr: 172.20.21.63
+    netmask: 255.255.252.0
+    proto: static
+  - device: vio1
+    vlan: 26
+    ipaddr: 172.20.26.1
+    netmask: 255.255.255.252
+    proto: static
+  - device: vio2
+    vlan: 103
+    proto: dhcp
+  - device: vio3
+    vlan: 102
+    mac: 52:54:00:0a:95:b8
+    proto: none
--- a/host_vars/fsol02.home.foo.sh.yml
+++ b/host_vars/fsol02.home.foo.sh.yml
@ -8,8 +8,13 @@ network_interfaces:
    netmask: 255.255.252.0
    proto: static
  - device: vio1
+    vlan: 26
+    ipaddr: 172.20.26.2
+    netmask: 255.255.255.252
+    proto: static
+  - device: vio2
    vlan: 103
    proto: dhcp
-  - device: vio2
+  - device: vio3
    vlan: 102
    proto: none
--- a/1
+++ b/1
@ -5,6 +5,7 @@ adm01.home.foo.sh
 collab01.home.foo.sh

 [fsol]
+fsol01.home.foo.sh
 fsol02.home.foo.sh

 [git]
--- a/roles/pf/files/pf.conf.gw_fsol
+++ b/roles/pf/files/pf.conf.gw_fsol
@ -1,7 +1,8 @@
 # interfaces
 int_if = "vio0"
-ext_if = "vio1"
-dmz_if = "vio2"
+sync_if = "vio1"
+ext_if = "vio2"
+dmz_if = "vio3"
 fsol_if = "tap0"

 # networks
@ -30,18 +31,21 @@ antispoof for lo0
 antispoof for vio0

 # admin connection (internal)
-pass in quick on $int_if proto tcp from $int_net to self port ssh
+pass in quick on $int_if proto tcp from $int_net to self port ssh keep state (no-sync)

 # internal network
 block in quick from any to self
-pass out quick on $int_if from $int_me to $int_net
+pass out quick on $int_if from $int_me to $int_net keep state (no-sync)

 # dmz network
 pass in quick on $dmz_if inet from $dmz_net to any
 pass out quick on $dmz_if inet from any to $dmz_net

 # allow myself to communicate dna network but don't use pfsync
-pass out quick on $ext_if from self to any
+pass out quick on $ext_if from self to any keep state (no-sync)
+
+# pfsync interface
+pass quick on $sync_if proto pfsync keep state (no-sync)

 # fsol (router) network
 pass in quick on $fsol_if proto ospf from any to any