foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dhcpd/pf: Add DHCP failover support

Browse source
This commit is contained in:
Timo Makinen 2025-06-22 17:52:29 +00:00
parent 97c9467b89
commit 5e803c87fb
2 changed files with 40 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

29
roles/dhcpd/templates/dhcpd.conf.j2
View file

@ -2,6 +2,28 @@
authoritative; authoritative;
ddns-update-style none; ddns-update-style none;
{% if network_interfaces[0].vlan == 30 %}
# failover config
{% for host in groups['dnagw_' + intdomain.split('.')[0]] %}
{% if host != inventory_hostname %}
failover peer "failover-peer" {
{% if inventory_hostname.split('.')[0][-2:] | int % 2 == 0 %}
secondary;
{% else %}
primary;
mclt 3600;
split 128;
{% endif %}
address {{ inventory_hostname }};
peer address {{ host }};
max-response-delay 60;
max-unacked-updates 10;
load balance max seconds 3;
}
{% endif %}
{% endfor %}
{% endif %}
# custom options # custom options
option arch code 93 = unsigned integer 16; option arch code 93 = unsigned integer 16;
@ -47,7 +69,14 @@ subnet {{ intnet | ansible.utils.ipaddr('network') }} netmask {{ intnet | ansibl
use-host-decl-names on; use-host-decl-names on;
{% if network_interfaces[0].vlan == 30 %} {% if network_interfaces[0].vlan == 30 %}
pool {
{% for host in groups['dnagw_' + intdomain.split('.')[0]] %}
{% if host != inventory_hostname %}
failover peer "failover-peer";
{% endif %}
{% endfor %}
range {{ intnet | ansible.utils.ipaddr(100) | ansible.utils.ipaddr('address') }} {{ intnet | ansible.utils.ipaddr(200) | ansible.utils.ipaddr('address') }}; range {{ intnet | ansible.utils.ipaddr(100) | ansible.utils.ipaddr('address') }} {{ intnet | ansible.utils.ipaddr(200) | ansible.utils.ipaddr('address') }};
}
{% endif %} {% endif %}
} }

10
roles/pf/templates/pf.conf.gw_dna.j2
View file

@ -50,6 +50,11 @@ pass in quick on $ext_if proto tcp from {{ gw_lan_ip }}/32 to self port ssh
pass in quick on $int_if proto tcp from $int_net to self port 9100 pass in quick on $int_if proto tcp from $int_net to self port 9100
pass in quick on $int_if proto tcp from $int_net to self port 9167 pass in quick on $int_if proto tcp from $int_net to self port 9167
# allow dhcpd failover
{% for host in groups['dnagw_' + intdomain.split('.')[0]] %}
pass in quick on $int_if proto tcp from {{ hostvars[host]['network_interfaces'][0].ipaddr }} to self port 647
{% endfor %}
# allow dns queries from internal net # allow dns queries from internal net
pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
pass in quick on $int_if proto tcp from $int_net to self port domain-s pass in quick on $int_if proto tcp from $int_net to self port domain-s
@ -71,6 +76,11 @@ pass out quick on $int_if from self to any
# allow traffic from outside # allow traffic from outside
pass out quick on $int_if from any to $int_net pass out quick on $int_if from any to $int_net
{% if intdomain == 'iot.foo.sh' %}
# block ip's 50-100 from iot network
block in quick on $int_if from 172.20.27.192/26 to !$int_net
{% endif %}
# allow communication from internal to world # allow communication from internal to world
pass in quick on $int_if from $int_net to !$int_net pass in quick on $int_if from $int_net to !$int_net