Lumpiasty/klaster
0
0
Fork 0
Code Issues Pull Requests 2 Packages Projects Releases Wiki Activity
Files
8d0b0cfa576ae3752b643082f7848124cfd628bc
klaster/ansible/roles/openwrt/tasks/firewall.yml
T
Lumpiasty 2d69cc6569
ci/woodpecker/push/flux-reconcile-source Pipeline was successful
Details
ci/woodpecker/cron/renovate Pipeline was successful
Details
fix(ansible): resolve LTE failover data-plane bug on BroadMobi BM806C 
The embedded BroadMobi BM806C modem (Qualcomm MDM9225, firmware
M1.2.0_E1.0.1_A1.1.8) in the D-Link DWR-921 C1 has two independent
firmware bugs that together break the QMI data plane:

1.  Modem accepts 802.3 framing but its 802.3 path is buggy — downlink
    frames never reach the host kernel. raw-ip framing works.

2.  qmish calls uqmi --start-network --apn <foo>, which triggers
    FS#1363: the modem establishes a phantom bearer that gets IP
    addresses but has no working data path. Using --start-network
    --profile <N> (referencing a pre-configured NVRAM profile with
    the same APN) works correctly.

Fixes applied:

- qmish patches (3x community.openwrt.lineinfile):
  * Replace --set-data-format 802.3 with raw-ip
  * Replace --wda-set-data-format 802.3 with raw-ip
  * Bracket raw_ip sysfs write with ip link down/up (kernel rejects
    write with -EBUSY when wwan0 is already up)
- Modem NVRAM: create/modify profile 2 (internetipv6, ipv6) for the
  IPv6 APN — profile 1 is already managed by qmish's --modify-profile
- UCI wwan: add profile=1 and v6profile=2 so qmish uses --start-network
  --profile instead of --apn on both the v4 and v6 legs
- Firewall: add wwan zone (input REJECT, output ACCEPT, forward REJECT)
  and Allow-ICMPv6-wwan rule
- main.yml: reorder — packages (including usb-modeswitch) now run
  before wwan setup, so the modem is out of EDL mode when wwan.yml
  queries it for profile creation

See docs/wwan-bm806c-qmi-workaround.md for the full diagnosis
(what we ruled out, how we confirmed, manual setup steps, component
versions, future upstreaming).
2026-05-16 21:20:26 +02:00

92 lines
2.8 KiB
YAML
Raw Blame History

---
# This device is a pure AP — no routing, no NAT.
#
# Zones:
# mgmt — management interface (192.168.255.11)
# input: ACCEPT (SSH, ping reachable from MGMT network)
# forward: REJECT (nothing routes through mgmt)
#
# lan — client bridge (eth0.2, LAN ports)
# input: REJECT (clients cannot SSH into the AP itself)
# forward: ACCEPT (traffic passes through to MikroTik for firewalling)
#
# iot — IoT bridge (eth0.5, wifi only)
# input: REJECT (IoT devices cannot reach the AP itself)
# forward: ACCEPT (traffic passes through to MikroTik, which allows
# internet only and blocks all internal networks)
#
# uplink — internet uplink via MikroTik vlan6 (192.168.6.2/24)
# input: REJECT (no inbound connections from internet side)
# output: ACCEPT (AP itself initiates outbound — opkg, NTP, etc.)
# forward: REJECT (AP does not route client traffic through uplink)
#
# wwan — LTE modem uplink (Orange PL, /dev/cdc-wdm0, disabled by default)
# input: REJECT (no inbound from LTE)
# output: ACCEPT (AP itself uses LTE for outbound when uplink unavailable)
# forward: REJECT (no client traffic through LTE)
#
# No forwarding rules between zones — all inter-zone policy is on MikroTik.
- name: Configure firewall
community.openwrt.uci:
command: import
merge: false
config: firewall
value: |
package firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'mgmt'
list network 'mgmt'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'iot'
list network 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'uplink'
list network 'uplink'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wwan'
list network 'wwan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config rule
option name 'Allow-ICMPv6-uplink'
option src 'uplink'
option proto 'icmpv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-wwan'
option src 'wwan'
option proto 'icmpv6'
option target 'ACCEPT'
notify: Reload firewall
Reference in New Issue View Git Blame Copy Permalink