feat(ansible): add IoT VLAN 5 (192.168.5.0/24, szafa wifi)

MikroTik: add vlan5 interface, bridge VLAN entry (ether3 tagged), IP 192.168.5.1/24, IPv6 from-pool, DHCP pool/server/network, firewall rules allowing IoT internet-only (IPv4 and IPv6), DNS input from vlan5. OpenWrt: add switch VLAN 5 (WAN+CPU tagged), br-iot bridge on eth0.5, iot interface, iot firewall zone (forward ACCEPT, input REJECT). Also remove ensure_order from all non-firewall api_modify tasks as RouterOS does not support move on those paths.
2026-05-13 22:27:25 +02:00
parent 120547b1b8
commit 38f0aa699f
9 changed files with 124 additions and 27 deletions
@@ -53,6 +53,11 @@
        comment: Allow from SRV to CAM
        in-interface: vlan4
        out-interface: vlan3
+      - action: accept
+        chain: forward
+        comment: Allow from IOT to internet only
+        in-interface: vlan5
+        out-interface-list: wan
      - action: accept
        chain: forward
        comment: Allow from dockers to everywhere
@@ -136,6 +141,17 @@
        dst-port: 53
        in-interface: dockers
        protocol: tcp
+      - action: accept
+        chain: input
+        comment: Allow DNS from IOT
+        dst-port: 53
+        in-interface: vlan5
+        protocol: udp
+      - action: accept
+        chain: input
+        dst-port: 53
+        in-interface: vlan5
+        protocol: tcp
      - action: accept
        chain: input
        comment: Allow BGP from SRV
@@ -368,6 +384,11 @@
        comment: Allow from SRV to CAM
        in-interface: vlan4
        out-interface: vlan3
+      - action: accept
+        chain: forward
+        comment: Allow from IOT to internet only
+        in-interface: vlan5
+        out-interface-list: wan
      - action: accept
        chain: forward
        comment: Allow from dockers to everywhere
@@ -445,6 +466,17 @@
        dst-port: 53
        in-interface: dockers
        protocol: tcp
+      - action: accept
+        chain: input
+        comment: Allow DNS from IOT
+        dst-port: 53
+        in-interface: vlan5
+        protocol: udp
+      - action: accept
+        chain: input
+        dst-port: 53
+        in-interface: vlan5
+        protocol: tcp
      - action: accept
        chain: input
        comment: Allow BGP from SRV