aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--config/kv24ix.txt38
-rw-r--r--tnet/host_vars/kv24ix/wg.yml2
2 files changed, 23 insertions, 17 deletions
diff --git a/config/kv24ix.txt b/config/kv24ix.txt
index a29716b..2c04479 100644
--- a/config/kv24ix.txt
+++ b/config/kv24ix.txt
@@ -2,7 +2,6 @@ set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-name WANv6_IN default-action drop
set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
-set firewall ipv6-name WANv6_IN enable-default-log
set firewall ipv6-name WANv6_IN rule 10 action accept
set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6-name WANv6_IN rule 10 state established enable
@@ -87,6 +86,7 @@ set interfaces ethernet eth4 poe output off
set interfaces ethernet eth4 speed auto
set interfaces loopback lo
set interfaces switch switch0 address 192.168.10.1/24
+set interfaces switch switch0 address 'fdb1:4242:3538:2006::ffff/64'
set interfaces switch switch0 description Local
set interfaces switch switch0 firewall in
set interfaces switch switch0 ipv6 address
@@ -104,7 +104,7 @@ set interfaces wireguard wg0 peer cuUgTdFH1UEXpUH6V1nashdH7K/L+pl6dmJCpBWN+Xw= e
set interfaces wireguard wg0 peer cuUgTdFH1UEXpUH6V1nashdH7K/L+pl6dmJCpBWN+Xw= persistent-keepalive 60
set interfaces wireguard wg0 private-key /config/auth/wg0.key
set interfaces wireguard wg0 route-allowed-ips false
-set interfaces wireguard wg1 address 'fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf/64'
+set interfaces wireguard wg1 address 'fdb1:4242:3538:2f01::b/64'
set interfaces wireguard wg1 description tnet-knot
set interfaces wireguard wg1 mtu 1420
set interfaces wireguard wg1 peer eF8DIAyneOlhEzyriFB528IUsnYqy/b5398i0SW06g4= allowed-ips '::/0'
@@ -112,27 +112,32 @@ set interfaces wireguard wg1 peer eF8DIAyneOlhEzyriFB528IUsnYqy/b5398i0SW06g4= e
set interfaces wireguard wg1 peer eF8DIAyneOlhEzyriFB528IUsnYqy/b5398i0SW06g4= persistent-keepalive 60
set interfaces wireguard wg1 private-key /config/auth/knot.key
set interfaces wireguard wg1 route-allowed-ips false
+set interfaces wireguard wg2 address '2a11:6c7:f04:fd::2/64'
set interfaces wireguard wg2 description route64.org
set interfaces wireguard wg2 mtu 1420
+set interfaces wireguard wg2 peer ztZNKsJH/CKQjYz9kUOtcIyKakqaNoNuVPZL8nlDxgM= allowed-ips '::/0'
set interfaces wireguard wg2 peer ztZNKsJH/CKQjYz9kUOtcIyKakqaNoNuVPZL8nlDxgM= endpoint '118.91.187.67:46010'
set interfaces wireguard wg2 peer ztZNKsJH/CKQjYz9kUOtcIyKakqaNoNuVPZL8nlDxgM= persistent-keepalive 30
set interfaces wireguard wg2 private-key /config/auth/route64.key
set interfaces wireguard wg2 route-allowed-ips false
set policy prefix-list6 bitraf-dn42 rule 1 action permit
+set policy prefix-list6 bitraf-dn42 rule 1 description 'tnet subnetworks'
set policy prefix-list6 bitraf-dn42 rule 1 le 128
-set policy prefix-list6 bitraf-dn42 rule 1 prefix 'fdb1:4242:3538::/48'
-set policy route-map knot rule 1 action permit
-set policy route-map knot rule 1 match ipv6 address prefix-list bitraf-dn42
-set policy route-map knot rule 1 set ipv6-next-hop global 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce'
-set policy route-map knot rule 1 set ipv6-next-hop local 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce'
-set protocols bgp 4242423538 address-family ipv6-unicast network 'fdb1:4242:3538:2006::/64' route-map knot
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' address-family ipv6-unicast capability graceful-restart
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' address-family ipv6-unicast route-map export knot
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' address-family ipv6-unicast soft-reconfiguration inbound
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' nexthop-self
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' password trygvis
-set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' remote-as 4242423538
-set protocols bgp 4242423538 parameters
+set policy prefix-list6 bitraf-dn42 rule 1 prefix 'fdb1:4242:3538:2000::/60'
+set policy route-map bitraf-dn42 rule 1 action permit
+set policy route-map bitraf-dn42 rule 1 match ipv6 address prefix-list bitraf-dn42
+set protocols bgp 4242423538 address-family ipv6-unicast redistribute connected route-map bitraf-dn42
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' address-family ipv6-unicast capability graceful-restart
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' address-family ipv6-unicast nexthop-self
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' address-family ipv6-unicast route-reflector-client
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' address-family ipv6-unicast soft-reconfiguration inbound
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' capability dynamic
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' capability graceful-restart
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' password trygvis
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' remote-as 4242423538
+set protocols bgp 4242423538 neighbor 'fdb1:4242:3538:2f01::a' soft-reconfiguration inbound
+set protocols bgp 4242423538 parameters graceful-restart
+set protocols static route6 'fdb1:4242:3538:2006::/64' blackhole
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
@@ -161,8 +166,9 @@ set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-ma
set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping swoppe mac-address 'b4:fb:e4:8a:24:a6'
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
-set service dns forwarding cache-size 150
+set service dns forwarding cache-size 1000
set service dns forwarding listen-on switch0
+set service dns forwarding options 'server=/dn42/fd42:d42:d42:54::1'
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers enable
diff --git a/tnet/host_vars/kv24ix/wg.yml b/tnet/host_vars/kv24ix/wg.yml
index 99c54b6..fb215e8 100644
--- a/tnet/host_vars/kv24ix/wg.yml
+++ b/tnet/host_vars/kv24ix/wg.yml
@@ -1,3 +1,3 @@
tnet_wg:
knot:
- address: fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf
+ address: fdb1:4242:3538:ffff:18b7:d3ec:5608:db9b
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-28 16:31:11 +0000