Updating kv24ix

author: Trygve Laugstøl <trygvis@inamo.no> 2025-07-20 22:12:18 +0200
committer: Trygve Laugstøl <trygvis@inamo.no> 2025-07-20 22:14:21 +0200
commit: 23b0b2852188d1a965f2bf855d703b483c37c1e9 (patch)
tree: 0c4d735f5486cf5fecab4703556db369e5702ba4
parent: 83f2d3e69412fc11dca4d5ae7794342b523a79eb (diff)
download: infra-23b0b2852188d1a965f2bf855d703b483c37c1e9.tar.gz
infra-23b0b2852188d1a965f2bf855d703b483c37c1e9.tar.bz2
infra-23b0b2852188d1a965f2bf855d703b483c37c1e9.tar.xz
infra-23b0b2852188d1a965f2bf855d703b483c37c1e9.zip
2 files changed, 23 insertions, 17 deletions
diff --git a/config/kv24ix.txt b/config/kv24ix.txt
index a29716b..2c04479 100644
--- a/config/kv24ix.txt
+++ b/config/kv24ix.txt
@@ -2,7 +2,6 @@ set firewall all-ping enable
 set firewall broadcast-ping disable
 set firewall ipv6-name WANv6_IN default-action drop
 set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
-set firewall ipv6-name WANv6_IN enable-default-log
 set firewall ipv6-name WANv6_IN rule 10 action accept
 set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
 set firewall ipv6-name WANv6_IN rule 10 state established enable
@@ -87,6 +86,7 @@ set interfaces ethernet eth4 poe output off
 set interfaces ethernet eth4 speed auto
 set interfaces loopback lo
 set interfaces switch switch0 address 192.168.10.1/24
+set interfaces switch switch0 address 'fdb1:4242:3538:2006::ffff/64'
 set interfaces switch switch0 description Local
 set interfaces switch switch0 firewall in
 set interfaces switch switch0 ipv6 address
@@ -104,7 +104,7 @@ set interfaces wireguard wg0 peer cuUgTdFH1UEXpUH6V1nashdH7K/L+pl6dmJCpBWN+Xw= e
 set interfaces wireguard wg0 peer cuUgTdFH1UEXpUH6V1nashdH7K/L+pl6dmJCpBWN+Xw= persistent-keepalive 60
 set interfaces wireguard wg0 private-key /config/auth/wg0.key
 set interfaces wireguard wg0 route-allowed-ips false
-set interfaces wireguard wg1 address 'fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf/64'
+set interfaces wireguard wg1 address 'fdb1:4242:3538:2f01::b/64'
 set interfaces wireguard wg1 description tnet-knot
 set interfaces wireguard wg1 mtu 1420
 set interfaces wireguard wg1 peer eF8DIAyneOlhEzyriFB528IUsnYqy/b5398i0SW06g4= allowed-ips '::/0'
@@ -112,27 +112,32 @@ set interfaces wireguard wg1 peer eF8DIAyneOlhEzyriFB528IUsnYqy/b5398i0SW06g4= e
 set interfaces wireguard wg1 peer eF8DIAyneOlhEzyriFB528IUsnYqy/b5398i0SW06g4= persistent-keepalive 60
 set interfaces wireguard wg1 private-key /config/auth/knot.key
 set interfaces wireguard wg1 route-allowed-ips false
+set interfaces wireguard wg2 address '2a11:6c7:f04:fd::2/64'
 set interfaces wireguard wg2 description route64.org
 set interfaces wireguard wg2 mtu 1420
+set interfaces wireguard wg2 peer ztZNKsJH/CKQjYz9kUOtcIyKakqaNoNuVPZL8nlDxgM= allowed-ips '::/0'
 set interfaces wireguard wg2 peer ztZNKsJH/CKQjYz9kUOtcIyKakqaNoNuVPZL8nlDxgM= endpoint '118.91.187.67:46010'
 set interfaces wireguard wg2 peer ztZNKsJH/CKQjYz9kUOtcIyKakqaNoNuVPZL8nlDxgM= persistent-keepalive 30
 set interfaces wireguard wg2 private-key /config/auth/route64.key
 set interfaces wireguard wg2 route-allowed-ips false
 set policy prefix-list6 bitraf-dn42 rule 1 action permit
+set policy prefix-list6 bitraf-dn42 rule 1 description 'tnet subnetworks'
 set policy prefix-list6 bitraf-dn42 rule 1 le 128
-set policy prefix-list6 bitraf-dn42 rule 1 prefix 'fdb1:4242:3538::/48'
-set policy route-map knot rule 1 action permit
-set policy route-map knot rule 1 match ipv6 address prefix-list bitraf-dn42
-set policy route-map knot rule 1 set ipv6-next-hop global 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce'
-set policy route-map knot rule 1 set ipv6-next-hop local 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce'
-set protocols bgp 4242423538 address-family ipv6-unicast network 'fdb1:4242:3538:2006::/64' route-map knot
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' address-family ipv6-unicast capability graceful-restart
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' address-family ipv6-unicast route-map export knot
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' address-family ipv6-unicast soft-reconfiguration inbound
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' nexthop-self
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' password trygvis
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' remote-as 4242423538
-set protocols bgp 4242423538 parameters
+set policy prefix-list6 bitraf-dn42 rule 1 prefix 'fdb1:4242:3538:2000::/60'
+set policy route-map bitraf-dn42 rule 1 action permit
+set policy route-map bitraf-dn42 rule 1 match ipv6 address prefix-list bitraf-dn42
+set protocols bgp 4242423538 address-family ipv6-unicast redistribute connected route-map bitraf-dn42
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' address-family ipv6-unicast capability graceful-restart
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' address-family ipv6-unicast nexthop-self
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' address-family ipv6-unicast route-reflector-client
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' address-family ipv6-unicast soft-reconfiguration inbound
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' capability dynamic
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' capability graceful-restart
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' password trygvis
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' remote-as 4242423538
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' soft-reconfiguration inbound
+set protocols bgp 4242423538 parameters graceful-restart
+set protocols static route6 'fdb1:4242:3538:2006::/64' blackhole
 set service dhcp-server disabled false
 set service dhcp-server hostfile-update disable
 set service dhcp-server shared-network-name LAN authoritative enable
@@ -161,8 +166,9 @@ set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-ma
 set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping swoppe mac-address 'b4:fb:e4:8a:24:a6'
 set service dhcp-server static-arp disable
 set service dhcp-server use-dnsmasq disable
-set service dns forwarding cache-size 150
+set service dns forwarding cache-size 1000
 set service dns forwarding listen-on switch0
+set service dns forwarding options 'server=/dn42/fd42:d42:d42:54::1'
 set service gui http-port 80
 set service gui https-port 443
 set service gui older-ciphers enable
diff --git a/tnet/host_vars/kv24ix/wg.yml b/tnet/host_vars/kv24ix/wg.yml
index 99c54b6..fb215e8 100644
--- a/tnet/host_vars/kv24ix/wg.yml
+++ b/tnet/host_vars/kv24ix/wg.yml
@@ -1,3 +1,3 @@
 tnet_wg:
   knot:
-    address: fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf
+    address: fdb1:4242:3538:ffff:18b7:d3ec:5608:db9b
author	Trygve Laugstøl <trygvis@inamo.no>	2025-07-20 22:12:18 +0200
committer	Trygve Laugstøl <trygvis@inamo.no>	2025-07-20 22:14:21 +0200
commit	23b0b2852188d1a965f2bf855d703b483c37c1e9 (patch)
tree	0c4d735f5486cf5fecab4703556db369e5702ba4
parent	83f2d3e69412fc11dca4d5ae7794342b523a79eb (diff)
download	infra-23b0b2852188d1a965f2bf855d703b483c37c1e9.tar.gz infra-23b0b2852188d1a965f2bf855d703b483c37c1e9.tar.bz2 infra-23b0b2852188d1a965f2bf855d703b483c37c1e9.tar.xz infra-23b0b2852188d1a965f2bf855d703b483c37c1e9.zip