feat(ansible): add IoT VLAN 5 (192.168.5.0/24, szafa wifi)
MikroTik: add vlan5 interface, bridge VLAN entry (ether3 tagged), IP 192.168.5.1/24, IPv6 from-pool, DHCP pool/server/network, firewall rules allowing IoT internet-only (IPv4 and IPv6), DNS input from vlan5. OpenWrt: add switch VLAN 5 (WAN+CPU tagged), br-iot bridge on eth0.5, iot interface, iot firewall zone (forward ACCEPT, input REJECT). Also remove ensure_order from all non-firewall api_modify tasks as RouterOS does not support move on those paths.
This commit is contained in:
@@ -6,13 +6,16 @@
|
||||
# input: ACCEPT (SSH, ping reachable from MGMT network)
|
||||
# forward: REJECT (nothing routes through mgmt)
|
||||
#
|
||||
# lan — client bridge (eth0.2, wireless clients)
|
||||
# lan — client bridge (eth0.2, LAN ports)
|
||||
# input: REJECT (clients cannot SSH into the AP itself)
|
||||
# forward: ACCEPT (client traffic passes through to MikroTik,
|
||||
# which does all actual firewalling)
|
||||
# forward: ACCEPT (traffic passes through to MikroTik for firewalling)
|
||||
#
|
||||
# No forwarding rules between zones — traffic in/out of each zone goes
|
||||
# directly to/from MikroTik over the trunk, not through this device.
|
||||
# iot — IoT bridge (eth0.5, wifi only)
|
||||
# input: REJECT (IoT devices cannot reach the AP itself)
|
||||
# forward: ACCEPT (traffic passes through to MikroTik, which allows
|
||||
# internet only and blocks all internal networks)
|
||||
#
|
||||
# No forwarding rules between zones — all inter-zone policy is on MikroTik.
|
||||
|
||||
- name: Configure firewall
|
||||
community.openwrt.uci:
|
||||
@@ -42,6 +45,13 @@
|
||||
option output 'ACCEPT'
|
||||
option forward 'ACCEPT'
|
||||
|
||||
config zone
|
||||
option name 'iot'
|
||||
list network 'iot'
|
||||
option input 'REJECT'
|
||||
option output 'ACCEPT'
|
||||
option forward 'ACCEPT'
|
||||
|
||||
config rule
|
||||
option name 'Allow-ICMP-mgmt'
|
||||
option src 'mgmt'
|
||||
|
||||
@@ -0,0 +1,44 @@
|
||||
---
|
||||
- name: Load IoT WiFi password from OpenBao
|
||||
ansible.builtin.set_fact:
|
||||
openwrt_iot_wifi_password: >-
|
||||
{{
|
||||
lookup(
|
||||
'community.hashi_vault.vault_kv2_get',
|
||||
openbao_fields.iot_wifi.path,
|
||||
engine_mount_point=openbao_kv_mount
|
||||
).secret[openbao_fields.iot_wifi.password_key]
|
||||
}}
|
||||
no_log: true
|
||||
|
||||
- name: Configure IoT WiFi interface (szafa, WPA2, network iot)
|
||||
community.openwrt.uci:
|
||||
command: section
|
||||
config: wireless
|
||||
type: wifi-iface
|
||||
name: iot_radio0
|
||||
find:
|
||||
device: radio0
|
||||
ssid: szafa
|
||||
value:
|
||||
device: radio0
|
||||
network: iot
|
||||
mode: ap
|
||||
ssid: szafa
|
||||
encryption: psk2
|
||||
key: "{{ openwrt_iot_wifi_password }}"
|
||||
disabled: '0'
|
||||
replace: true
|
||||
notify: Reload wireless
|
||||
|
||||
- name: Enable radio0
|
||||
community.openwrt.uci:
|
||||
command: set
|
||||
key: wireless.radio0.disabled
|
||||
value: '0'
|
||||
notify: Reload wireless
|
||||
|
||||
- name: Commit wireless config
|
||||
community.openwrt.uci:
|
||||
command: commit
|
||||
key: wireless
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
# Secret references only; actual values are loaded from OpenBao/Vault at runtime.
|
||||
|
||||
openbao_kv_mount: secret
|
||||
|
||||
openbao_fields:
|
||||
iot_wifi:
|
||||
path: openwrt_iot_wifi
|
||||
password_key: password
|
||||
Reference in New Issue
Block a user