Lumpiasty/klaster
0
0
Fork 0
Code Issues Pull Requests 2 Packages Projects Releases Wiki Activity
Files
38f0aa699f12568adff2aac6285c2a59fc62b889
klaster/ansible/roles/openwrt/tasks/firewall.yml
T
Lumpiasty 38f0aa699f feat(ansible): add IoT VLAN 5 (192.168.5.0/24, szafa wifi) 
MikroTik: add vlan5 interface, bridge VLAN entry (ether3 tagged),
IP 192.168.5.1/24, IPv6 from-pool, DHCP pool/server/network,
firewall rules allowing IoT internet-only (IPv4 and IPv6),
DNS input from vlan5.

OpenWrt: add switch VLAN 5 (WAN+CPU tagged), br-iot bridge on
eth0.5, iot interface, iot firewall zone (forward ACCEPT,
input REJECT).

Also remove ensure_order from all non-firewall api_modify tasks
as RouterOS does not support move on those paths.
2026-05-13 22:28:04 +02:00

62 lines
1.7 KiB
YAML
Raw Blame History

---
# This device is a pure AP — no routing, no NAT, no internet-facing interface.
#
# Zones:
# mgmt — management interface (192.168.255.11)
# input: ACCEPT (SSH, ping reachable from MGMT network)
# forward: REJECT (nothing routes through mgmt)
#
# lan — client bridge (eth0.2, LAN ports)
# input: REJECT (clients cannot SSH into the AP itself)
# forward: ACCEPT (traffic passes through to MikroTik for firewalling)
#
# iot — IoT bridge (eth0.5, wifi only)
# input: REJECT (IoT devices cannot reach the AP itself)
# forward: ACCEPT (traffic passes through to MikroTik, which allows
# internet only and blocks all internal networks)
#
# No forwarding rules between zones — all inter-zone policy is on MikroTik.
- name: Configure firewall
community.openwrt.uci:
command: import
merge: false
config: firewall
value: |
package firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'mgmt'
list network 'mgmt'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'iot'
list network 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
config rule
option name 'Allow-ICMP-mgmt'
option src 'mgmt'
option proto 'icmp'
option target 'ACCEPT'
notify: Reload firewall
Reference in New Issue View Git Blame Copy Permalink