enable modem in dlink

ansible/README.md

@@ -49,8 +49,8 @@ There are two playbooks:
 ### Step 1 — `dlink-init.yml` (once, PC directly connected)
 
 Run this while your PC is plugged into one of the dlink **LAN ports** with the
-device still on its factory IP (192.168.1.1). MikroTik must **not** be in the
+device still on its factory IP (192.168.1.1) and your SSH key has been added in
-picture yet.
+web ui. MikroTik must **not** be in the picture yet.
 
 What it does:
 - Reconfigures switch0 so the **WAN port** becomes a VLAN trunk:

ansible/playbooks/dlink-init.yml

@@ -17,6 +17,13 @@
   vars:
     ansible_host: "192.168.1.1"
     ansible_user: root
+    # Role defaults are not loaded when importing role task files directly.
+    # These must mirror roles/openwrt/defaults/main.yml.
+    openwrt_mgmt_ip: 192.168.255.11
+    openwrt_mgmt_prefix: 24
+    openwrt_mgmt_gateway: 192.168.255.10
+    openwrt_dns_servers:
+      - 192.168.0.1
 
   tasks:
     - name: Verify connectivity

ansible/roles/openwrt/defaults/main.yml

@@ -23,5 +23,7 @@ openwrt_ntp_servers:
   - 1.pl.pool.ntp.org
 
 # Packages to install
-openwrt_packages: []
+openwrt_packages:
+  - usb-modeswitch   # switches embedded LTE modem (Qualcomm 05c6:9008) from EDL to QMI mode on boot
+  - luci-proto-qmi   # adds QMI protocol support to LuCI for configuring the embedded LTE modem
 

ansible/roles/openwrt/tasks/firewall.yml

@@ -1,5 +1,5 @@
 ---
-# This device is a pure AP — no routing, no NAT, no internet-facing interface.
+# This device is a pure AP — no routing, no NAT.
 #
 # Zones:
 #   mgmt   — management interface (192.168.255.11)
@@ -15,6 +15,11 @@
 #            forward: ACCEPT (traffic passes through to MikroTik, which allows
 #                             internet only and blocks all internal networks)
 #
+#   uplink — internet uplink via MikroTik vlan6 (192.168.6.2/24)
+#            input: REJECT  (no inbound connections from internet side)
+#            output: ACCEPT (AP itself initiates outbound — opkg, NTP, etc.)
+#            forward: REJECT (AP does not route client traffic through uplink)
+#
 # No forwarding rules between zones — all inter-zone policy is on MikroTik.
 
 - name: Configure firewall
@@ -52,10 +57,17 @@
         option output 'ACCEPT'
         option forward 'ACCEPT'
 
+      config zone
+        option name 'uplink'
+        list network 'uplink'
+        option input 'REJECT'
+        option output 'ACCEPT'
+        option forward 'REJECT'
+
       config rule
-        option name 'Allow-ICMP-mgmt'
+        option name 'Allow-ICMPv6-uplink'
-        option src 'mgmt'
+        option src 'uplink'
-        option proto 'icmp'
+        option proto 'icmpv6'
         option target 'ACCEPT'
 
   notify: Reload firewall

ansible/roles/openwrt/tasks/network.yml

@@ -1,17 +1,19 @@
 ---
 #   Network layout:
 #   MikroTik ether3 ↔ dlink WAN port (switch0 port4)
-#   MikroTik sends MGMT traffic untagged, vlan2 (LAN) and vlan5 (IOT) tagged.
+#   MikroTik sends MGMT traffic untagged, vlan2/vlan5/vlan6 tagged.
 #
 #   switch0 VLAN table:
 #     VLAN 1 (MGMT):   CPU(6) tagged, WAN(4) untagged                        → eth0.1 → mgmt
 #     VLAN 2 (LAN):    CPU(6) tagged, WAN(4) tagged, LAN1-4(0-3) untagged    → eth0.2 → br-lan → lan
 #     VLAN 5 (IOT):    CPU(6) tagged, WAN(4) tagged                          → eth0.5 → br-iot → iot
+#     VLAN 6 (UPLINK): CPU(6) tagged, WAN(4) tagged                          → eth0.6 → uplink
 #
 #   Interfaces:
 #     mgmt   — static 192.168.255.11/24 on eth0.1, management
 #     lan    — bridge (br-lan) on eth0.2, LAN clients via LAN ports
 #     iot    — bridge (br-iot) on eth0.5, IoT clients via wifi only
+#     uplink — static 192.168.6.2/24 + 2001:470:61a3:600::2/64 on eth0.6, internet access for opkg
 
 - name: Configure network
   community.openwrt.uci:
@@ -55,6 +57,13 @@
         option description 'iot'
         option ports '4t 6t'
 
+      config switch_vlan
+        option device 'switch0'
+        option vlan '6'
+        option vid '6'
+        option description 'uplink'
+        option ports '4t 6t'
+
       config device
         option name 'br-lan'
         option type 'bridge'
@@ -64,9 +73,46 @@
         option device 'eth0.1'
         option proto 'static'
         option ipaddr '{{ openwrt_mgmt_ip }}/{{ openwrt_mgmt_prefix }}'
-        option gateway '{{ openwrt_mgmt_gateway }}'
         option dns '{{ openwrt_dns_servers | join(" ") }}'
 
+      # Policy routing for mgmt interface.
+      #
+      # Without this, replies to traffic destined for 192.168.255.11 (mgmt IP)
+      # would be sent via the default route (eth0.6/uplink, src 192.168.6.2)
+      # instead of back through eth0.1. This is because mgmt clients (e.g. PCs
+      # on 192.168.0.0/24) are not on the directly connected 192.168.255.0/24
+      # subnet — they reach 192.168.255.11 via MikroTik routing, so the kernel
+      # has no connected route matching the reply destination and falls back to
+      # the default route, causing asymmetric routing.
+      #
+      # ip4table cannot be used here — it generates rules matching only the
+      # interface IP (from 192.168.255.11) and destination (to 192.168.255.11/24),
+      # not the source subnet needed for return traffic from arbitrary clients.
+      # Instead we manually add a rule matching any traffic sourced from the mgmt
+      # subnet and a default route in table 100 via the MikroTik mgmt gateway.
+      # Same-subnet traffic (src and dst both in 192.168.255.0/24) must stay in
+      # main table so replies go directly out eth0.1 without being redirected.
+      # Priority 500 ensures this fires before the catch-all rule below (1000).
+      config rule
+        option src '192.168.255.0/24'
+        option dest '192.168.255.0/24'
+        option lookup 'main'
+        option priority '500'
+
+      # All other traffic sourced from 192.168.255.0/24 (i.e. replies to clients
+      # outside this subnet, routed via MikroTik) uses table 100 which has a
+      # default route back via eth0.1 to prevent asymmetric routing.
+      config rule
+        option src '192.168.255.0/24'
+        option lookup '100'
+        option priority '1000'
+
+      config route
+        option table '100'
+        option interface 'mgmt'
+        option target '0.0.0.0/0'
+        option gateway '{{ openwrt_mgmt_gateway }}'
+
       config interface 'lan'
         option device 'br-lan'
         option proto 'none'
@@ -80,6 +126,15 @@
         option device 'br-iot'
         option proto 'none'
 
+      config interface 'uplink'
+        option device 'eth0.6'
+        option proto 'static'
+        option ipaddr '192.168.6.2/24'
+        option gateway '192.168.6.1'
+        option dns '192.168.6.1'
+        option ip6addr '2001:470:61a3:600::2/64'
+        option ip6gw '2001:470:61a3:600::1'
+
   notify: Reload network
 
 - name: Commit network config

ansible/roles/routeros/tasks/addressing.yml

@@ -27,6 +27,9 @@
       - address: 192.168.5.1/24
         interface: vlan5
         network: 192.168.5.0
+      - address: 192.168.6.1/24
+        interface: vlan6
+        network: 192.168.6.0
     handle_absent_entries: remove
     handle_entries_content: remove_as_much_as_possible
 
@@ -48,5 +51,8 @@
       - address: ::ffff:ffff:ffff:ffff/64
         from-pool: pool1
         interface: vlan5
+      - address: 2001:470:61a3:600::1/64
+        advertise: false
+        interface: vlan6
     handle_absent_entries: remove
     handle_entries_content: remove_as_much_as_possible

ansible/roles/routeros/tasks/base.yml

@@ -29,6 +29,10 @@
         comment: IOT
         interface: bridge1
         vlan-id: 5
+      - name: vlan6
+        comment: OPENWRT UPLINK
+        interface: bridge1
+        vlan-id: 6
     handle_absent_entries: remove
     handle_entries_content: remove_as_much_as_possible
 
@@ -97,6 +101,9 @@
       - bridge: bridge1
         tagged: bridge1,ether3
         vlan-ids: 5
+      - bridge: bridge1
+        tagged: bridge1,ether3
+        vlan-ids: 6
       - bridge: bridge1
         tagged: sfp-sfpplus2
         untagged: ether10

ansible/roles/routeros/tasks/firewall.yml

@@ -58,6 +58,11 @@
         comment: Allow from IOT to internet only
         in-interface: vlan5
         out-interface-list: wan
+      - action: accept
+        chain: forward
+        comment: Allow from OPENWRT UPLINK to internet only
+        in-interface: vlan6
+        out-interface-list: wan
       - action: accept
         chain: forward
         comment: Allow from dockers to everywhere
@@ -152,6 +157,17 @@
         dst-port: 53
         in-interface: vlan5
         protocol: tcp
+      - action: accept
+        chain: input
+        comment: Allow DNS from OPENWRT UPLINK
+        dst-port: 53
+        in-interface: vlan6
+        protocol: udp
+      - action: accept
+        chain: input
+        dst-port: 53
+        in-interface: vlan6
+        protocol: tcp
       - action: accept
         chain: input
         comment: Allow BGP from SRV
@@ -389,6 +405,11 @@
         comment: Allow from IOT to internet only
         in-interface: vlan5
         out-interface-list: wan
+      - action: accept
+        chain: forward
+        comment: Allow from OPENWRT UPLINK to internet only
+        in-interface: vlan6
+        out-interface-list: wan
       - action: accept
         chain: forward
         comment: Allow from dockers to everywhere
@@ -477,6 +498,17 @@
         dst-port: 53
         in-interface: vlan5
         protocol: tcp
+      - action: accept
+        chain: input
+        comment: Allow DNS from OPENWRT UPLINK
+        dst-port: 53
+        in-interface: vlan6
+        protocol: udp
+      - action: accept
+        chain: input
+        dst-port: 53
+        in-interface: vlan6
+        protocol: tcp
       - action: accept
         chain: input
         comment: Allow BGP from SRV