Allow multiple networks with firewall zones (iot, guest, ...)

config/cron

@@ -1,4 +1,8 @@
-*/15 * * * * fping --count 3 --period 2000 --random --generate --quiet {{ network }} >/dev/null 2>&1
+{% for _, network in networks.items() %}
+{% if network.cidr is defined %}
+*/15 * * * * fping --count 3 --period 2000 --random --generate --quiet {{ network.cidr }} >/dev/null 2>&1
+{% endif %}
+{% endfor %}
 {% if inventory_hostname in groups['routers'] %}
 0 4 * * * nft flush chain inet fw4 upnp_forward && nft flush chain inet fw4 upnp_prerouting
 {% endif %}

config/dawn

@@ -1,16 +1,20 @@
 
+{% for _, network in networks.items() %}
+{% if network.wireless is defined and network.wireless[0].roaming | default(true) %}
 config network
-	option broadcast_ip '{{ network | ansible.utils.ipaddr(255) | ansible.utils.ipv4('address')}}'
+	option broadcast_ip '{{ network.cidr | ansible.utils.ipaddr(255) | ansible.utils.ipv4('address')}}'
 	option broadcast_port '1025'
 	option server_ip ''
 	option tcp_port '1026'
 	option network_option '2' # 0 udp broadcast, 1 multicast, 2 tcp
-	option shared_key '{{ (SSID | checksum)[:10] }}'
-	option iv '{{ (SSID | checksum)[:10] }}'
+	option shared_key '{{ (network.wireless[0].SSID | checksum)[:10] }}'
+	option iv '{{ (network.wireless[0].SSID | checksum)[:10] }}'
 	option use_symm_enc '0'
 	option collision_domain '-1' # enter here aps which are in the same collision domain
 	option bandwidth '-1' # enter network bandwidth
 
+{% endif %}
+{% endfor %}
 config ordering
 	option sort_order 'cbfs'
 

config/dhcp

@@ -17,15 +17,19 @@ config dnsmasq
 {% endfor %}
 {% endif %}
 
-config dhcp 'lan'
-	option interface 'lan'
+{% for _, network in networks.items() %}
+{% if _ not in ('wan','additional') %}
+config dhcp '{{ _ }}'
+	option interface '{{ _ }}'
 	option limit '150'
 	option leasetime '12h'
 	option start '{{ groups['openwrt'] | length +2 }}'
 	option ra '{{ 'server' if inventory_hostname in groups['routers'] else 'hybrid' }}'
 	option dhcpv6 '{{ 'server' if inventory_hostname in groups['routers'] else 'hybrid' }}'
 	option ra_management '1'
 
+{% endif %}
+{% endfor %}
 config dhcp 'wan'
 	option interface 'wan'
 	option ignore '1'
@@ -41,7 +45,7 @@ config odhcpd 'odhcpd'
 config host
 	option mac '{{ hostvars[ap].mac }}'
 	option dns '1'
-	option ip '{{ network | ansible.utils.ipaddr(hostvars[ap].id) | ansible.utils.ipv4('address')}}'
+	option ip '{{ networks.lan.cidr | ansible.utils.ipaddr(hostvars[ap].id) | ansible.utils.ipv4('address')}}'
 	option name '{{ hostvars[ap].name }}'
 	option hostid '{{ hostvars[ap].id }}'
 	option duid '{{ hostvars[ap].duid }}'
@@ -53,7 +57,7 @@ config host
 	option name '{{ host.name }}'
 	option mac '{{ host.mac }}'
 	option dns '1'
-	option ip '{{ network | ansible.utils.ipaddr(host.id) | ansible.utils.ipv4('address')}}'
+	option ip '{{ networks[host.network | default('lan')].cidr | ansible.utils.ipaddr(host.id) | ansible.utils.ipv4('address')}}'
 	option hostid '{{ host.id }}'
 	option duid '{{ host.duid }}'
 

config/firewall

@@ -155,11 +155,47 @@ config redirect
 	option dest 'lan'
 	option dest_port '{{ forward.port }}'
 	option target 'DNAT'
-	option dest_ip '{{ network | ansible.utils.ipaddr(forward.to) | ansible.utils.ipv4('address')}}'
+	option dest_ip '{{ networks[forward.network | default('lan')].cidr | ansible.utils.ipaddr(forward.to) | ansible.utils.ipv4('address')}}'
 	option proto 'tcp udp'
 {% if forward.source_ip is defined %}
 	option src_ip '{{ forward.source_ip }}'
 {% endif %}
+{% endfor %}
+{% endif %}
+
+{% for _, network in networks.items() %}
+{% if _ not in ('lan','wan', 'additional') %}
+config zone
+	option name '{{ _ }}'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+	list network '{{ _ }}'
+
+config forwarding
+	option src '{{ _ }}'
+	option dest 'wan'
+
+config forwarding
+	option src 'lan'
+	option dest '{{ _ }}'
+
+config rule
+	option name 'Allow-DNS-{{ _ }}'
+	option src '{{ _ }}'
+	option dest_port '53'
+	option target 'ACCEPT'
 
+config rule
+	option name 'Allow-DHCP-{{ _ }}'
+	option src '{{ _ }}'
+	option dest_port '67'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Disallow-Device-{{ _ }}'
+	option src '{{ _ }}'
+	option target 'REJECT'
+{% endif %}
 {% endfor %}
-{% endif %}
+

config/network

@@ -1,3 +1,4 @@
+{% set vlan = namespace(index=1) %}
 
 config interface 'loopback'
 	option device 'lo'
@@ -8,14 +9,6 @@ config interface 'loopback'
 config globals 'globals'
 	option ula_prefix '{{ ula_prefix }}'
 
-config device
-{% if vlans is defined %}
-	option name 'eth0.{{ vlans | community.general.json_query('[?wan].vid') | first }}'
-{% else %}
-	option name 'eth0.2'
-{% endif %}
-	option macaddr '{{ mac }}'
-
 config switch
 	option name 'switch0'
 	option reset '1'
@@ -24,60 +17,45 @@ config switch
 config device
 	option name 'br-lan'
 	option type 'bridge'
-	list ports 'eth0.1'
+	list ports 'eth0.{{ networks.lan.vlan_id | default('1') }}'
+
+config switch_vlan
+	option device 'switch0'
+	option vlan '{{ vlan.index }}'
+	option vid '{{ networks.lan.vlan_id | default('1') }}'
+	option ports '{{ networks.lan.ports | default('1 0t') }}'
+	option description '{{ networks.lan.name | default('lan') }}'
 
 {% if inventory_hostname in groups['routers'] %}
+config device
+  option name 'eth0.{{ networks.wan.vlan_id | default('2') }}'
+
 config interface 'lan'
 	option device 'br-lan'
 	option proto 'static'
-	option netmask '{{ network | ansible.utils.ipaddr('netmask') }}'
-	option ip6assign '60'
-	option ipaddr '{{ network | ansible.utils.ipaddr(id) | ansible.utils.ipv4('address')}}'
+	option netmask '{{ networks.lan.cidr | ansible.utils.ipaddr('netmask') }}'
+	option ip6assign '64'
+	option ip6hint '{{ networks.lan.ip6hint | default('0') }}'
+	option ipaddr '{{ networks.lan.cidr | ansible.utils.ipaddr(id) | ansible.utils.ipv4('address')}}'
 	option ip6ifaceid '::{{ id }}'
 
+{% set vlan.index = vlan.index + 1%}
 config interface 'wan'
-{% if vlans is defined %}
-	option device 'eth0.{{ vlans | community.general.json_query('[?wan].vid') | first }}'
-{% else %}
-	option device 'eth0.2'
-{% endif %}
-	option proto 'dhcp'
+  option device 'eth0.{{ networks.wan.vlan_id | default('2') }}'
+  option proto 'dhcp'
 
 config interface 'wan6'
-{% if vlans is defined %}
-	option device 'eth0.{{ vlans | community.general.json_query('[?wan].vid') | first }}'
-{% else %}
-	option device 'eth0.2'
-{% endif %}
-	option proto 'dhcpv6'
-	option reqaddress 'try'
-	option reqprefix 'auto'
-
-config switch_vlan
-	option device 'switch0'
-	option vlan '1'
-	option ports '0t 2 3 4 5'
-	option vid '1'
-
-{% if vlans is defined %}
-{% for vlan in vlans %}
-config switch_vlan
-	option device 'switch0'
-	option vlan '{{ loop.index+1 }}'
-	option ports '{{ vlan.ports }}'
-	option vid '{{ vlan.vid }}'
-{% if vlan.name is defined %}
-	option description '{{ vlan.name }}'
-{% endif %}
+  option device 'eth0.{{ networks.wan.vlan_id | default('2') }}'
+  option proto 'dhcpv6'
+  option reqaddress 'try'
+  option reqprefix 'auto'
 
-{% endfor %}
-{% else %}
 config switch_vlan
-	option device 'switch0'
-	option vlan '2'
-	option ports '0t 1'
-	option vid '2'
-{% endif %}
+  option device 'switch0'
+  option vlan '{{ vlan.index }}'
+  option ports '{{ networks.wan.ports | default('2 3 4 5 0t') }}'
+  option vid '{{ networks.wan.vlan_id | default('2') }}'
+  option description '{{ networks.wan.name | default('wan') }}'
 
 {% if ipv6_6to4 is defined %}
 config interface 'wan6to4'
@@ -106,17 +84,53 @@ config interface 'lan'
 	option device 'br-lan'
 	option proto 'dhcp'
 
-config switch_vlan
-	option device 'switch0'
-	option vlan '1'
-	option ports '0t 1 2 3 4 5'
-	option vid '1'
-
 config interface 'lan6'
 	option proto 'dhcpv6'
 	option reqaddress 'try'
 	option reqprefix 'no'
 	option device '@lan'
 	option type 'bridge'
+{% endif %}
+
+{% for _, network in networks.items() %}
+{% if _ not in ('lan', 'wan','additional') %}
+{% set vlan.index = vlan.index + 1%}
+config device
+	option name 'br-{{ _ }}'
+	option type 'bridge'
+	list ports 'eth0.{{ network.vlan_id }}'
+
+config interface '{{ _ }}'
+	option device 'br-{{ _ }}'
+{% if inventory_hostname in groups['routers'] %}
+	option proto 'static'
+	option netmask '{{ network.cidr | ansible.utils.ipaddr('netmask') }}'
+	option ip6assign '64'
+	option ip6hint '{{ network.ip6hint | default(loop.index*10) }}'
+	option ipaddr '{{ network.cidr | ansible.utils.ipaddr(id) | ansible.utils.ipv4('address')}}'
+	option ip6ifaceid '::{{ id }}'
+{% else %}
+	option proto 'none'
+{% endif %}
+
+config switch_vlan
+	option device 'switch0'
+	option vlan '{{ vlan.index }}'
+	option vid '{{ network.vlan_id }}'
+	option ports '{{ network.ports | default('2 3 4 5 0t') }}'
+	option description '{{ network.name }}'
+
+{% endif %}
+{% endfor %}
+{% if networks.additional is defined %}
+{% for network in networks.additional %}
+{% set vlan.index = vlan.index + 1%}
+config switch_vlan
+  option device 'switch0'
+  option vlan '{{ vlan.index }}'
+  option ports '{{ network.ports }}'
+  option vid '{{ network.vlan_id }}'
+  option description '{{ network.name }}'
 
+{% endfor %}
 {% endif %}

config/upnpd

@@ -11,7 +11,7 @@ config upnpd 'config'
 {% if upnp.configure_with_external_ip is defined and upnp.configure_with_external_ip %}
 	option external_ip '{{ external_ip }}'
 {% endif %}
-	option presentation_url 'http://{{ network | ansible.utils.ipaddr(id) | ansible.utils.ipv4('address')}}'
+	option presentation_url 'http://{{ networks.lan.cidr | ansible.utils.ipaddr(id) | ansible.utils.ipv4('address')}}'
 
 config perm_rule
 	option action 'allow'