roll out (private) IPv6 on George Sand

group_vars/all/vars.yml

@@ -50,8 +50,8 @@ dns_host_suffix_backup: 153
 backup_dns_servers:
   - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
 
-# Misc
+# Finally raised!
-mtu: 1400
+mtu: 1500
 
 subnet_ids:
   ap: "14{{ apartment_block_id }}"

roles/radvd/tasks/main.yml

@@ -10,6 +10,8 @@
     dest: /etc/radvd.conf
     mode: 0644
   notify: restart radvd
+  tags:
+    - radconf
 
 - name: Install radvd
   apt:

roles/radvd/templates/radvd.conf.j2

@@ -39,7 +39,7 @@ interface ens20 {
     MaxRtrAdvInterval 30;
 
     AdvRASrcAddress {
-        {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ router_ip_suffix }};
+        fe80::1;
     };
 
     prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64  {
@@ -63,7 +63,7 @@ interface ens21 {
     MaxRtrAdvInterval 30;
 
     AdvRASrcAddress {
-        {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ router_ip_suffix }};
+        fe80::1;
     };
 
     prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64  {

roles/router/tasks/main.yml

@@ -8,7 +8,7 @@
 
 - name: Enable IPv6 packet forwarding
   ansible.posix.sysctl:
-    name: net.ipv6.ip_forward
+    name: net.ipv6.conf.all.forwarding
     value: '1'
     sysctl_set: yes
 

roles/router/templates/firewall_config.py

@@ -24,8 +24,8 @@
 
 ### Give me a role
 
-# routeur4 = routeur IPv4
+# previously: routeur4 = routeur IPv4
-role = ['routeur4', 'routeur6']
+role = ['routeur']
 
 
 ### Specify each interface role

roles/router/templates/keepalived.conf

@@ -7,7 +7,7 @@ global_defs {
 }
 
 
-vrrp_instance VI_ROUT_{{ apartment_block }} {
+vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
   {% if 'backup' in inventory_hostname %}
   state BACKUP
   priority 100
@@ -21,7 +21,7 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
   interface ens18
 
   # Shared by MASTER and BACKUP
-  virtual_router_id {{ apartment_block_id }}
+  virtual_router_id 4{{ apartment_block_id }}
 
   # Timeout in seconds before failover kicks in.
   advert_int 2
@@ -37,7 +37,6 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
   virtual_ipaddress {
         # Routing subnet
         10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global
-        {{ ipv6_base_prefix }}:129:0::{{ apartment_block_id }}:254/64 dev ens19 scope global
 
 
         # NATed subnet: wired
@@ -48,21 +47,63 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
 
         # Wired
         10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global
-        {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:254/64 dev ens20 scope global
 
         # Wifi
         10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
-        {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:254/64 dev ens21 scope global
    }
 
 
-  # FIXME: update for IPv6
   virtual_routes {
         # 10.129.0.1 is Yggdrasil
         src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19
+  }
+}
 
+vrrp_instance VI_ROUT_{{ apartment_block }}_IPv6 {
+  {% if 'backup' in inventory_hostname %}
+  state BACKUP
+  priority 100
+  {% else %}
+  state MASTER
+  priority 150
+  {% endif %}
+
+
+  # Interface used for VRRP communication.
+  interface ens18
+
+  # Shared by MASTER and BACKUP
+  virtual_router_id 6{{ apartment_block_id }}
+
+  # Timeout in seconds before failover kicks in.
+  advert_int 2
+
+  # Used to authenticate VRRP communication between master and backup.
+  authentication {
+    auth_type PASS
+    auth_pass {{ keepalived_password }}
+  }
+
+  smtp_alert
+
+  virtual_ipaddress {
+        # Routing subnet
+        fe80::1/64 dev ens19 scope global
+        {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254/64 dev ens19 scope global
+
+        # Wired
+        fe80::1/64 dev ens20 scope global
+
+        # Wifi
+        fe80::1/64 dev ens21 scope global
+   }
+
+
+  virtual_routes {
         # For IPv6, the master router is routeur-aurore, NOT yggdrasil,
         # because yggdrasil doesn't support BGPv6 announcements.
-        src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:1 dev ens19
+        src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:254 dev ens19
   }
 }
+
+

roles/unbound/templates/recursive.conf.j2

@@ -36,7 +36,7 @@ server:
     access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
     access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
     access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
-    access-control: {{ ipv6_base_prefix }}::/32 # Fuck it... :)
+    access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
 
     num-threads: {{ ansible_processor_vcpus }}