feat(ansible): add internet access for dlink

ansible/roles/routeros/tasks/addressing.yml

@@ -27,6 +27,9 @@
       - address: 192.168.5.1/24
         interface: vlan5
         network: 192.168.5.0
+      - address: 192.168.6.1/24
+        interface: vlan6
+        network: 192.168.6.0
     handle_absent_entries: remove
     handle_entries_content: remove_as_much_as_possible
 
@@ -48,5 +51,8 @@
       - address: ::ffff:ffff:ffff:ffff/64
         from-pool: pool1
         interface: vlan5
+      - address: 2001:470:61a3:600::1/64
+        advertise: false
+        interface: vlan6
     handle_absent_entries: remove
     handle_entries_content: remove_as_much_as_possible

ansible/roles/routeros/tasks/base.yml

@@ -29,6 +29,10 @@
         comment: IOT
         interface: bridge1
         vlan-id: 5
+      - name: vlan6
+        comment: OPENWRT UPLINK
+        interface: bridge1
+        vlan-id: 6
     handle_absent_entries: remove
     handle_entries_content: remove_as_much_as_possible
 
@@ -97,6 +101,9 @@
       - bridge: bridge1
         tagged: bridge1,ether3
         vlan-ids: 5
+      - bridge: bridge1
+        tagged: bridge1,ether3
+        vlan-ids: 6
       - bridge: bridge1
         tagged: sfp-sfpplus2
         untagged: ether10

ansible/roles/routeros/tasks/firewall.yml

@@ -58,6 +58,11 @@
         comment: Allow from IOT to internet only
         in-interface: vlan5
         out-interface-list: wan
+      - action: accept
+        chain: forward
+        comment: Allow from OPENWRT UPLINK to internet only
+        in-interface: vlan6
+        out-interface-list: wan
       - action: accept
         chain: forward
         comment: Allow from dockers to everywhere
@@ -152,6 +157,17 @@
         dst-port: 53
         in-interface: vlan5
         protocol: tcp
+      - action: accept
+        chain: input
+        comment: Allow DNS from OPENWRT UPLINK
+        dst-port: 53
+        in-interface: vlan6
+        protocol: udp
+      - action: accept
+        chain: input
+        dst-port: 53
+        in-interface: vlan6
+        protocol: tcp
       - action: accept
         chain: input
         comment: Allow BGP from SRV
@@ -389,6 +405,11 @@
         comment: Allow from IOT to internet only
         in-interface: vlan5
         out-interface-list: wan
+      - action: accept
+        chain: forward
+        comment: Allow from OPENWRT UPLINK to internet only
+        in-interface: vlan6
+        out-interface-list: wan
       - action: accept
         chain: forward
         comment: Allow from dockers to everywhere
@@ -477,6 +498,17 @@
         dst-port: 53
         in-interface: vlan5
         protocol: tcp
+      - action: accept
+        chain: input
+        comment: Allow DNS from OPENWRT UPLINK
+        dst-port: 53
+        in-interface: vlan6
+        protocol: udp
+      - action: accept
+        chain: input
+        dst-port: 53
+        in-interface: vlan6
+        protocol: tcp
       - action: accept
         chain: input
         comment: Allow BGP from SRV