maz
/
bgprtrmgr-templates
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
BGP Router Manager templates for Voneus core and aggregation infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
20 Commits
1 Branch
0 Tags
91 KiB
Tree: 9dfaca399f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9dfaca399f'
${ noResults }
bgprtrmgr-templates/includes/routeros-v7-aggregation-router/firewall.j2

114 lines
10 KiB
Raw Blame History

/ip firewall address-list
add address=172.22.0.0/16 comment="Voneus VPN" list=allow-management
add address=185.134.196.128/28 comment=FAELIX list=allow-management
add address=46.227.200.128/28 comment=FAELIX list=allow-management
add address=100.64.0.0/10 comment=RFC6598 list=customer-private
add address=46.227.207.251 comment=core.librenms.lon.faelix.twh.voneus.net list=allow-snmp
add address=46.227.207.250 comment=fttp.librenms.lon.faelix.twh.voneus.net list=allow-snmp
add address=46.227.203.248 comment=fwa.librenms.lon.faelix.twh.voneus.net list=allow-snmp
add address=46.227.203.91 comment=librenms01.man.faelix.man.voneus.net list=allow-snmp
add address=185.134.197.214 comment=oob.librenms.gen.faelix.che.voneus.net list=allow-snmp
add address=185.134.197.197 comment=overlord.librenms.gen.faelix.che.voneus.net list=allow-snmp
add address=46.227.203.249 comment=systems.librenms.lon.faelix.twh.voneus.net list=allow-snmp
add address=46.227.202.238 comment=vnms.librenms.man.faelix.man.voneus.net list=allow-snmp
add address=192.0.2.1 comment=placeholder disabled=yes list=no-cgnat-to
add address=192.0.2.2 comment=example disabled=yes list=provisioning
/ipv6 firewall address-list
add address=2001:db9::/32 comment="Voneus VPN" disabled=yes list=allow-management
add address=2a01:9e00:a217:fa00::/56 comment=FAELIX list=allow-management
add address=2a01:9e01:a217:fa00::/56 comment=FAELIX list=allow-management
add address=2001:db9::/32 comment="Voneus VPN" disabled=yes list=allow-management
{% for prefix in 'accept-ipv6-40-48-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %}
add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
{% endif %}{% endfor %}
{% for prefix in 'accept-ipv6-40-48-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv6 %}
add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
{% endif %}{% endfor %}
{% for prefix in 'accept-ipv6-48-52-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %}
add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
{% endif %}{% endfor %}
{% for prefix in 'accept-ipv6-48-52-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv6 %}
add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
{% endif %}{% endfor %}
add address=2001:db9::/32 comment=example disabled=yes list=provisioning
/ip firewall filter
add action=fasttrack-connection chain=forward comment="forward existing connections" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="forward existing connections" connection-state=established,related
add action=accept chain=forward comment="forward customer traffic to uplinks and linknets" in-interface-list=customer-and-linknet out-interface-list=uplink-and-linknet
add action=accept chain=forward comment="forward traffic arriving from management interfaces" in-interface-list=mgmt
add action=accept chain=forward comment="forward IPsec encapsulated traffic" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
add action=accept chain=forward comment="forward DNAT traffic" connection-nat-state=dstnat disabled=yes in-interface-list=uplink-and-linknet
add action=drop chain=forward comment="prevent customers from reaching protected subnets" in-interface-list=customer-and-linknet src-address-list=block-customer
add action=drop chain=forward comment="prevent customers from reaching protected subnets" dst-address-list=block-customer in-interface-list=customer-and-linknet
add chain=forward comment="forward traffic between linknets" in-interface-list=linknet out-interface-list=linknet
add action=drop chain=forward comment="block traffic from uplinks and linknets" in-interface-list=uplink-and-linknet
add action=fasttrack-connection chain=input comment="allow established connections to router's control plane" connection-state=established,related hw-offload=yes
add action=accept chain=input comment="allow established connections to router's control plane" connection-state=established,related
add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=tcp
add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=udp
add action=accept chain=input comment="allow SNMP" dst-port=161 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-snmp
add action=accept chain=input comment="allow NTP" dst-port=123 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=udp
add action=accept chain=input comment="allow management interfaces to access router's control plane" in-interface-list=mgmt
add action=accept chain=input comment="allow public management IPs access to router's control plane" in-interface-list=uplink-and-linknet src-address-list=allow-management
add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet protocol=ipsec-esp src-address-list=allow-ipsec
add action=accept chain=input comment="allow IPsec" disabled=yes dst-port=500,4500 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-ipsec
add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
add action=accept chain=input comment="allow BGP on uplinks and linknets" dst-port=179 in-interface-list=uplink-and-linknet protocol=tcp
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udp
add action=drop chain=input comment="protect router's control plane"
{%- set nat_source_ips = [] %}
{%- for interface in device_interfaces %}
{%- if interface.name in ('loopback',) %}
{%- for address in interface|get_addresses %}
{%- if address|ipv4 %}
{#- sanity-check for public IPv4 addresses -#}
{%- set address0 = address.address.split(".",0)|int %}
{%- set address1 = address.address.split(".",1)|int %}
{%- if not ( ( address0 == 10 )
or ( ( address0 == 172 ) and ( address1 >=16 ) and ( address1 <= 31 ) )
or ( ( address0 == 192 ) and ( address1 == 168 ) )
or ( ( address0 == 100 ) and ( address1 >= 64 ) and ( address1 <= 127 ) )
or ( ( address0 == 169 ) and ( address1 == 254 ) ) ) %}
{%- do nat_source_ips.append(address.address.split("/")[0]) %}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endfor %}
/ip firewall nat
add action=return chain=srcnat src-address-list=public-addresses comment="do not CGNAT"
add action=return chain=srcnat dst-address-list=no-cgnat-to comment="do not CGNAT"
{%- for nat_source_ip in nat_source_ips|sort %}
add action=src-nat chain=srcnat out-interface-list=uplink per-connection-classifier=src-address:{{ nat_source_ips|length }}/{{ loop.index0 }} src-address-list=customer-private to-addresses={{ nat_source_ip }} comment="perform CGNAT"
{%- endfor %}
add chain=dstnat comment="redirect NTP to local NTP server for provisioning" dst-port=123 protocol=udp src-address-list=provisioning to-addresses=127.0.0.1 comment="redirect NTP to localhost for TLS to work in provisioning"
/ipv6 firewall filter
add action=accept chain=forward comment="forward existing connections" connection-state=established,related
add action=accept chain=forward comment="forward customer traffic to uplinks and linknets" in-interface-list=customer-and-linknet out-interface-list=uplink-and-linknet
add action=accept chain=forward comment="forward traffic arriving from management interfaces" in-interface-list=mgmt
add action=accept chain=forward comment="forward IPsec encapsulated traffic" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
add action=drop chain=forward comment="prevent customers from reaching protected subnets" in-interface-list=customer-and-linknet src-address-list=block-customer
add action=drop chain=forward comment="prevent customers from reaching protected subnets" dst-address-list=block-customer in-interface-list=customer-and-linknet
add chain=forward comment="forward traffic between linknets" in-interface-list=linknet out-interface-list=linknet
add action=accept chain=forward comment="forward ICMPv6" protocol=icmp
add action=drop chain=forward comment="block traffic from uplinks and linknets" in-interface-list=uplink-and-linknet
add action=accept chain=input comment="allow established connections to router's control plane" connection-state=established,related
add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet protocol=tcp
add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet protocol=udp
add action=accept chain=input comment="allow SNMP" dst-port=161 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-snmp
add action=accept chain=input comment="allow NTP" dst-port=123 in-interface-list=customer-and-linknet protocol=udp
add action=accept chain=input comment="allow management interfaces to access router's control plane" in-interface-list=mgmt
add action=accept chain=input comment="allow public management IPs access to router's control plane" in-interface-list=uplink-and-linknet src-address-list=allow-management
add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet protocol=ipsec-esp src-address-list=allow-ipsec
add action=accept chain=input comment="allow IPsec" disabled=yes dst-port=500,4500 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-ipsec
add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
add action=accept chain=input comment="allow BGP on uplinks and linknets" dst-port=179 in-interface-list=uplink-and-linknet protocol=tcp
add action=accept chain=input comment="allow ICMP" protocol=icmpv6
add action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udp
add action=drop chain=input comment="protect router's control plane"