156 lines
3.3 KiB
Bash
Executable file
156 lines
3.3 KiB
Bash
Executable file
|
|
#!/bin/sh
|
|
# Nico Schottelius, 2024-07-22
|
|
# This script assumes a clean/newly setup openwrt device
|
|
#
|
|
# Assumption:
|
|
# WAN = IPv4, dhcp provided externally
|
|
# LAN = IPv6, "clients" that want to reach IPv4 Internet
|
|
# Consequences
|
|
# - do not provide IPv4 or IPv6 dhcp/ra on any interface
|
|
|
|
if [ $# -lt 8 ] ; then
|
|
echo $0 "address hostname nat64prefix ipv4address ipv4gw asn routerid babelpw iBGPpeer1 [iBGPpeer2...]"
|
|
exit 1
|
|
fi
|
|
|
|
address=$1; shift
|
|
hostname=$1; shift
|
|
nat64prefix=$1; shift
|
|
ipv4address=$1; shift
|
|
ipv4gw=$1; shift
|
|
asn=$1; shift
|
|
routerid=$1; shift
|
|
babelpw=$1; shift
|
|
ibgp_peers="$@"
|
|
|
|
# Now $@ only contains iBGP peers
|
|
|
|
cat <<EOF | ssh -t "root@${address}"
|
|
set -x
|
|
opkg update
|
|
|
|
# add jool + bird2 + tcpdump
|
|
opkg install jool-tools-netfilter bird2 bird2c tcpdump tmux atop
|
|
|
|
# Do not announce ULA - we have GUA
|
|
uci delete network.globals.ula_prefix
|
|
|
|
# Remove IPv6 assign, we are using static IPv6
|
|
uci delete network.lan.ip6assign
|
|
|
|
# Disable firewalling effectively to allow traffic any direction
|
|
uci set firewall.@defaults[0].input=ACCEPT
|
|
uci set firewall.@defaults[0].forward=ACCEPT
|
|
|
|
# Set hostname
|
|
uci set system.@system[0].hostname="${hostname}"
|
|
|
|
# Set IPv4 address on WAN for NAT64 upstream
|
|
uci set network.wan.ipaddr="${ipv4address}"
|
|
uci set network.wan.netmask="255.255.255.0" # hardcoded, usually correct, fix this script if needed
|
|
uci set network.wan.gateway="${ipv4gw}"
|
|
uci set network.wan.proto="static"
|
|
|
|
# Make LAN IPv6 dynamic
|
|
uci delete network.lan.ipaddr
|
|
uci delete network.lan.netmask
|
|
uci delete network.lan.gateway
|
|
uci set network.lan.proto="dhcpv6"
|
|
|
|
# Disable DHCP on LAN
|
|
uci delete dhcp.lan.dhcpv4
|
|
uci delete dhcp.lan.dhcpv6
|
|
uci delete dhcp.lan.ra
|
|
uci set dhcp.lan.ignore=1
|
|
uci commit
|
|
|
|
# TODO: Do something wireless (?), maybe disable?
|
|
|
|
echo "Setting up bird ..."
|
|
|
|
cat > /etc/bird.conf <<BBB
|
|
log syslog all;
|
|
router id ${routerid};
|
|
|
|
protocol device { }
|
|
protocol bfd { }
|
|
|
|
# Just announce, no kernel interaction
|
|
protocol static static6 {
|
|
ipv6;
|
|
route ${nat64prefix} unreachable;
|
|
}
|
|
# for getting iBGP routes
|
|
protocol babel {
|
|
interface "br-lan", "wan" { type wired; authentication mac; password "${babelpw}"; };
|
|
ipv6 { export where (source = RTS_DEVICE) || (source = RTS_BABEL); };
|
|
}
|
|
protocol kernel kernel_v6 {
|
|
ipv6 { export where source ~ [ RTS_BABEL ]; };
|
|
}
|
|
BBB
|
|
|
|
for ibgp_peer in ${ibgp_peers}; do
|
|
cat >> /etc/bird.conf <<BBB
|
|
protocol bgp {
|
|
local as ${asn};
|
|
neighbor \${ibgp_peer} as ${asn};
|
|
|
|
ipv6 {
|
|
import none;
|
|
export where source ~ [ RTS_STATIC ];
|
|
};
|
|
}
|
|
BBB
|
|
done
|
|
|
|
# TODO: configure jool
|
|
cat > /etc/jool/jool-nat64.conf.json <<BBB
|
|
{
|
|
"comment": "NAT64 by cdist",
|
|
|
|
"instance": "default",
|
|
"framework": "netfilter",
|
|
|
|
"global": {
|
|
"comment": "pool6 prefix",
|
|
"pool6": "${nat64prefix}"
|
|
},
|
|
|
|
"comment": "IPv4 pool4 table",
|
|
"pool4": [
|
|
{
|
|
"protocol": "TCP",
|
|
"prefix": "${ipv4address}",
|
|
"port range": "40001-65535"
|
|
}, {
|
|
"protocol": "UDP",
|
|
"prefix": "${ipv4address}",
|
|
"port range": "40001-65535"
|
|
}, {
|
|
"protocol": "ICMP",
|
|
"prefix": "${ipv4address}",
|
|
"port range": "40001-65535"
|
|
}
|
|
]
|
|
}
|
|
BBB
|
|
|
|
uci set jool.general.enabled=1
|
|
uci set jool.nat64.enabled=1
|
|
uci commit
|
|
|
|
|
|
# start jool
|
|
/etc/init.d/jool restart
|
|
|
|
# TODO: ensure jool is started at boot
|
|
# TODO: ensure bird is started at boot
|
|
|
|
uci commit
|
|
/etc/init.d/bird restart
|
|
|
|
EOF
|
|
|
|
echo "Restart router to restart firewall, network, dhcp"
|