lte failover

ansible/roles/routeros/tasks/base.yml

@@ -51,10 +51,10 @@
     data:
       - interface: pppoe-gpon
         list: wan
-      - interface: lte1
-        list: wan
       - interface: sit1
         list: wan
+      - interface: vlan6
+        list: wan
     handle_absent_entries: remove
     handle_entries_content: remove_as_much_as_possible
 

ansible/roles/routeros/tasks/firewall.yml

@@ -10,11 +10,6 @@
         chain: forward
         comment: Allow all already established connections
         connection-state: established,related
-      - action: accept
-        chain: forward
-        comment: Allow LTE modem management (next rule forbids it otherwise)
-        dst-address: 192.168.8.1
-        out-interface: lte1
       - action: reject
         chain: forward
         comment: Forbid forwarding 192.168.0.0/16 to WAN
@@ -173,7 +168,13 @@
         comment: Allow BGP from SRV
         dst-port: 179
         in-interface: vlan4
-        protocol: udp
+        protocol: tcp
+      - action: accept
+        chain: input
+        comment: Allow BGP from OPENWRT UPLINK
+        dst-port: 179
+        in-interface: vlan6
+        protocol: tcp
       - action: accept
         chain: input
         comment: NAT-PMP from LAN
@@ -243,15 +244,11 @@
       - action: masquerade
         chain: srcnat
         comment: Masquerade to internet
-        out-interface-list: wan
+        out-interface: pppoe-gpon
       - action: masquerade
         chain: srcnat
         comment: GPON ONT management
         dst-address: 192.168.100.1
-      - action: masquerade
-        chain: srcnat
-        comment: LTE Modem management
-        dst-address: 192.168.8.1
       - action: dst-nat
         chain: dstnat
         comment: TS3
@@ -516,6 +513,13 @@
         in-interface: vlan4
         protocol: tcp
         src-address: 2001:470:61a3:100::/64
+      - action: accept
+        chain: input
+        comment: Allow BGP from OPENWRT UPLINK
+        dst-port: 179
+        in-interface: vlan6
+        protocol: tcp
+        src-address: 2001:470:61a3:600::/64
       - action: reject
         chain: input
         comment: Reject all remaining

ansible/roles/routeros/tasks/hardware.yml

@@ -39,39 +39,6 @@
   loop_control:
     label: "{{ item.default_name }}"
 
-- name: Configure LTE interface defaults
-  community.routeros.api_find_and_modify:
-    ignore_dynamic: false
-    path: interface lte
-    find:
-      default-name: lte1
-    values:
-      apn-profiles: default-nodns
-      comment: Backup LTE WAN
-
-- name: Configure LTE APN profiles
-  community.routeros.api_modify:
-    path: interface lte apn
-    data:
-      - add-default-route: false
-        apn: internet
-        comment: default but without dns and default route
-        ipv6-interface: lte1
-        name: default-nodns
-        use-network-apn: true
-        use-peer-dns: false
-      # Default APN we can't really remove yet I don't want to reconfigure it
-      - add-default-route: true
-        apn: internet
-        authentication: none
-        default-route-distance: 2
-        ip-type: auto
-        name: default
-        use-network-apn: true
-        use-peer-dns: true
-    handle_absent_entries: remove
-    handle_entries_content: remove_as_much_as_possible
-
 - name: Configure temporary disk for containers
   community.routeros.api_modify:
     path: disk

ansible/roles/routeros/tasks/routing.yml

@@ -21,15 +21,6 @@
         suppress-hw-offload: false
         target-scope: 10
         vrf-interface: pppoe-gpon
-      - disabled: false
-        distance: 2
-        dst-address: 0.0.0.0/0
-        gateway: 192.168.8.1
-        routing-table: main
-        scope: 30
-        suppress-hw-offload: false
-        target-scope: 10
-        vrf-interface: lte1
     handle_absent_entries: remove
     handle_entries_content: remove_as_much_as_possible
 
@@ -93,5 +84,27 @@
         remote.address: 2001:470:61a3:100::3/128
         routing-table: main
         templates: klaster
+      - name: dlink-lte
+        afi: ip,ipv6
+        as: 65000
+        connect: true
+        disabled: false
+        instance: bgp-homelab
+        listen: true
+        # ibgp-rr: CRS acts as route reflector for D-Link (the RR client).
+        # This allows k8s routes learned from bgp1 to be reflected to D-Link
+        # without violating iBGP split-horizon.
+        local.role: ibgp-rr
+        remote.address: 192.168.6.2/32
+        routing-table: main
+        templates: klaster
+        hold-time: 30s
+        keepalive-time: 10s
+        # Redistribute connected (VLAN addresses) and static routes (Tailscale,
+        # GPON default) so D-Link has explicit routes to all internal subnets
+        # and a default route when GPON is up.
+        output.redistribute: connected,static
+        output.default-originate: if-installed
+        nexthop-choice: force-self
     handle_absent_entries: remove
     handle_entries_content: remove_as_much_as_possible