From 55855d7c15da770b267137ff3ae2531156a8bbf0 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Tue, 16 Mar 2021 22:41:58 +0000
Subject: [PATCH] Start working on replicated fsol gw

* Add fsol01 host
* Move everything to fsol01 for now
* Add pfsync interface
* Try to fix firewall rules with correct no-sync options
---
 group_vars/fsol.yml              |  2 +-
 host_vars/fsol01.home.foo.sh.yml | 21 +++++++++++++++++++++
 host_vars/fsol02.home.foo.sh.yml |  7 ++++++-
 hosts                            |  1 +
 roles/pf/files/pf.conf.gw_fsol   | 14 +++++++++-----
 5 files changed, 38 insertions(+), 7 deletions(-)
 create mode 100644 host_vars/fsol01.home.foo.sh.yml

diff --git a/group_vars/fsol.yml b/group_vars/fsol.yml
index af7bba5..dd70dd2 100644
--- a/group_vars/fsol.yml
+++ b/group_vars/fsol.yml
@@ -1,6 +1,6 @@
 ---
 network_carp_interfaces:
-  - device: vio2
+  - device: vio3
     vhid: 145
     ipaddr: 37.16.96.145
     netmask: 255.255.255.240
diff --git a/host_vars/fsol01.home.foo.sh.yml b/host_vars/fsol01.home.foo.sh.yml
new file mode 100644
index 0000000..17e443f
--- /dev/null
+++ b/host_vars/fsol01.home.foo.sh.yml
@@ -0,0 +1,21 @@
+---
+vmhost: vmhost01.home.foo.sh
+network_interfaces:
+  - device: vio0
+    vlan: 20
+    mac: 52:54:00:ac:dc:3f
+    ipaddr: 172.20.21.63
+    netmask: 255.255.252.0
+    proto: static
+  - device: vio1
+    vlan: 26
+    ipaddr: 172.20.26.1
+    netmask: 255.255.255.252
+    proto: static
+  - device: vio2
+    vlan: 103
+    proto: dhcp
+  - device: vio3
+    vlan: 102
+    mac: 52:54:00:0a:95:b8
+    proto: none
diff --git a/host_vars/fsol02.home.foo.sh.yml b/host_vars/fsol02.home.foo.sh.yml
index 3a384e9..010edca 100644
--- a/host_vars/fsol02.home.foo.sh.yml
+++ b/host_vars/fsol02.home.foo.sh.yml
@@ -8,8 +8,13 @@ network_interfaces:
     netmask: 255.255.252.0
     proto: static
   - device: vio1
+    vlan: 26
+    ipaddr: 172.20.26.2
+    netmask: 255.255.255.252
+    proto: static
+  - device: vio2
     vlan: 103
     proto: dhcp
-  - device: vio2
+  - device: vio3
     vlan: 102
     proto: none
diff --git a/hosts b/hosts
index 75f6fb9..9578094 100644
--- a/hosts
+++ b/hosts
@@ -5,6 +5,7 @@ adm01.home.foo.sh
 collab01.home.foo.sh
 
 [fsol]
+fsol01.home.foo.sh
 fsol02.home.foo.sh
 
 [git]
diff --git a/roles/pf/files/pf.conf.gw_fsol b/roles/pf/files/pf.conf.gw_fsol
index 89bc9fd..0159482 100644
--- a/roles/pf/files/pf.conf.gw_fsol
+++ b/roles/pf/files/pf.conf.gw_fsol
@@ -1,7 +1,8 @@
 # interfaces
 int_if = "vio0"
-ext_if = "vio1"
-dmz_if = "vio2"
+sync_if = "vio1"
+ext_if = "vio2"
+dmz_if = "vio3"
 fsol_if = "tap0"
 
 # networks
@@ -30,18 +31,21 @@ antispoof for lo0
 antispoof for vio0
 
 # admin connection (internal)
-pass in quick on $int_if proto tcp from $int_net to self port ssh
+pass in quick on $int_if proto tcp from $int_net to self port ssh keep state (no-sync)
 
 # internal network
 block in quick from any to self
-pass out quick on $int_if from $int_me to $int_net
+pass out quick on $int_if from $int_me to $int_net keep state (no-sync)
 
 # dmz network
 pass in quick on $dmz_if inet from $dmz_net to any
 pass out quick on $dmz_if inet from any to $dmz_net
 
 # allow myself to communicate dna network but don't use pfsync
-pass out quick on $ext_if from self to any
+pass out quick on $ext_if from self to any keep state (no-sync)
+
+# pfsync interface
+pass quick on $sync_if proto pfsync keep state (no-sync)
 
 # fsol (router) network
 pass in quick on $fsol_if proto ospf from any to any