FreifunkBremen · genofire · Feb 3, 2019 · Feb 3, 2019 · Feb 3, 2019 · Feb 3, 2019
diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +1,6 @@
 [submodule "site"]
 	path = site
 	url = https://github.com/FreifunkBremen/gluon-site-ffhb.git
+[submodule "roles/respondd"]
+	path = roles/respondd
+	url = https://github.com/freifunk-ansible/ansible-role-yanic.git
diff --git a/README.md b/README.md
@@ -87,3 +87,53 @@ Add your new VPN to the [IC-VPN-Meta](https://github.com/freifunk/icvpn-meta) to
 Ask to other VPN-Owner to run ansible again.
 On this way the other vpns got the new internal routing in ```bird``` and ```bird6```.
 [See here](https://github.com/FreifunkBremen/ansible/tree/master/roles/router-bird/templates)
+
+
+## Babel
+
+**NAT64**
+
+if installed nat64 maybe extends port pool by reconfigure local range `sysctl net.ipv4.ip_local_port_range`
+
+Or use other address-pool (and firewall)  `/etc/systemd/system/jool.service`:
+```
+...
+ExecStart=/usr/local/bin/jool instance add --iptables --pool6=64:ff9b::/96
+ExecStartPost=/usr/local/bin/jool pool4 add --icmp 185.117.213.250 1601-3000
+ExecStartPost=/usr/local/bin/jool pool4 add --udp  185.117.213.250 3001-65535
+ExecStartPost=/usr/local/bin/jool pool4 add --tcp  185.117.213.250 1601-65535
+...
+```
+
+
+### Babel Gateway
+A babel gateway is a maschine which allow to exit ipv6 default route and recieve the client and nodes subnet
+
+Such a gateway need some special configuration.
+- (A bigger nat64 whould be nice)
+- ip routes for exit
+	- `post-up  ip -r r add default via 2a06:8782:ff00::1 dev $IFACE proto 159 table default-freifunk`
+	- firewall rules /etc/firewall.d/20-exit 
+		```
+		ipt6 -A FORWARD -o ens3 -i babel-+ -j ACCEPT
+		ipt6 -A FORWARD -i ens3 -o babel-+ -j ACCEPT
+		```
+
+- maybe run yanic to collect and forward stats data
+	- firewall for respondd
+	- firewall for yanic
+- tunnel to babel vpn
+	- add to /etc/babeld.conf
+	- to /etc/systemd/system/mmfd.service
+
+### Babel VPN
+A babel vpn is a maschine which recieve VPN connection and "forward" them to a gateway.
+It could run nat64 at his own and exit ipv4.
+
+TODO: respondd firewall:
+```
+# babel
+ipt6 -A INPUT -i babel-+ -p udp --dport 1001 -j ACCEPT
+ipt6 -A INPUT -i mmfd0 -p udp --dport 1001 -j ACCEPT
+```
+
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
@@ -4,5 +4,6 @@ site_git_root:        'https://github.com/FreifunkBremen'
 site_city:            'bremen'
 site_domain:          'bremen.freifunk.net'
 site_vpn_prefix:      'vpn'
+freifunk_site_code:   'ffhb'
 icvpn_as:             65196
 fastd_peers_limit:    200
diff --git a/hosts b/hosts
@@ -7,6 +7,8 @@ import hosts
 import json
 
 inv = hosts.Inventory('site/site.conf',
+  ipv6_babelmesh_network = "2a06:8782:ffbb:bab0::/64",
+  ipv6_babelclient_network = "2a06:8782:ffbb:bab1::/64",
   ipv6_global_network = "2a06:8782:ffbb:1337::/64",
   ipv6_uplink_network = "2a06:8782:ffbb::/64",
   icvpn_ipv4_network = "10.207.0.196/16",
@@ -43,6 +45,13 @@ grp.host(7, "vpn07.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interfac
 grp.host(8, "vpn08.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interface="enp1s0", exit_ipv6_remote=False, exit_ipv6_interface="enp1s0", max_mtu=1438)
 grp.host(9, "vpn09.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interface="enp1s0", exit_ipv6_remote=False, exit_ipv6_interface="enp1s0", max_mtu=1438)
 
+grp = inv.group("babelservers",
+  babel=True,
+  firewall_enabled=True,
+)
+grp.host(9, "babel-gw-lwlcom.bremen.freifunk.net")
+grp.host(7, "ffhb.h.sum7.eu")
+
 grp = inv.group("eventsserver")
 grp.host(0, "mgmt.bremen.freifunk.net")
 

diff --git a/lib/hosts.py b/lib/hosts.py
@@ -22,19 +22,21 @@ class Inventory:
 
   groups = {}
 
-  def __init__(self, site_conf, ipv6_global_network=None, ipv6_local_network=None, ipv6_uplink_network=None, icvpn_ipv4_network=None, icvpn_ipv6_network=None):
+  def __init__(self, site_conf, ipv6_global_network=None, ipv6_local_network=None, ipv6_uplink_network=None, icvpn_ipv4_network=None, icvpn_ipv6_network=None, ipv6_babelmesh_network=None, ipv6_babelclient_network=None):
 
     # read and parse site.conf
     with open(site_conf,'r') as f:
       self.site = lua.decode(f.read())
       if not isinstance(self.site, dict):
         raise TypeError("Unable to parse site.conf")
 
-    self.ipv4_network        = ipcalc.Network(self.site["prefix4"])
-    self.icvpn_ipv4_network  = ipcalc.Network(icvpn_ipv4_network)
-    self.icvpn_ipv6_network  = ipcalc.Network(icvpn_ipv6_network)
-    self.ipv6_uplink_network = ipcalc.Network(ipv6_uplink_network)
-    self.ipv6_global_network  = ipcalc.Network(ipv6_global_network)
+    self.ipv4_network              = ipcalc.Network(self.site["prefix4"])
+    self.icvpn_ipv4_network        = ipcalc.Network(icvpn_ipv4_network)
+    self.icvpn_ipv6_network        = ipcalc.Network(icvpn_ipv6_network)
+    self.ipv6_uplink_network       = ipcalc.Network(ipv6_uplink_network)
+    self.ipv6_global_network       = ipcalc.Network(ipv6_global_network)
+    self.ipv6_babelmesh_network    = ipcalc.Network(ipv6_babelmesh_network)
+    self.ipv6_babelclient_network  = ipcalc.Network(ipv6_babelclient_network)
 
     if "prefix6" in self.site:
       self.ipv6_local_network = ipcalc.Network(self.site["prefix6"])
@@ -60,12 +62,14 @@ def data(self):
 
     data["_meta"] = {"hostvars": hostvars}
     data["all"]   = {"vars": {
-      "site":                self.site,
-      "site_code":           self.site["site_code"],
-      "ipv4_network":        self.attributeString("ipv4_network"),
-      "ipv6_local_network":  self.attributeString("ipv6_local_network"),
-      "ipv6_uplink_network": self.attributeString("ipv6_uplink_network"),
-      "ipv6_global_network": self.attributeString("ipv6_global_network"),
+      "site":                     self.site,
+      "site_code":                self.site["site_code"],
+      "ipv4_network":             self.attributeString("ipv4_network"),
+      "ipv6_local_network":       self.attributeString("ipv6_local_network"),
+      "ipv6_uplink_network":      self.attributeString("ipv6_uplink_network"),
+      "ipv6_global_network":      self.attributeString("ipv6_global_network"),
+      "ipv6_babelmesh_network":   self.attributeString("ipv6_babelmesh_network"),
+      "ipv6_babelclient_network": self.attributeString("ipv6_babelclient_network"),
     }}
 
     return data
@@ -93,10 +97,11 @@ def calculate_address(self, key, incr):
     }
 
 class Group:
-  def __init__(self, inventory, dhcp=False, icvpn=False, **vars):
+  def __init__(self, inventory, dhcp=False, icvpn=False, babel=False, **vars):
     self.inventory = inventory
     self.dhcp      = dhcp
     self.icvpn     = icvpn
+    self.babel     = babel
     self.vars      = vars
     self.hosts     = []
     self.children  = []
@@ -106,10 +111,12 @@ def host(self, id, hostname, **host_vars):
     vars.update(host_vars)
     vars.update({
       "vpn_id":             id,
+      "babel":              self.babel,
       "batman_ipv4":        self.calculate_address("ipv4_network", id),
       "batman_ipv6_global": self.calculate_address("ipv6_global_network", id),
       "batman_ipv6_local":  self.calculate_address("ipv6_local_network", id),
     })
+
 
     if self.dhcp:
       begin = self.inventory.ipv4_network.ip + (id << 8)*10
@@ -125,6 +132,10 @@ def host(self, id, hostname, **host_vars):
       vars["icvpn_ipv4_network"] = self.inventory.attributeString("icvpn_ipv4_network")
       vars["icvpn_ipv6_network"] = self.inventory.attributeString("icvpn_ipv6_network")
 
+    if self.babel:
+      vars["babel_ipv6_mesh"]   = self.calculate_address("ipv6_babelmesh_network", id)
+      vars["babel_ipv6_client"] = self.calculate_address("ipv6_babelclient_network", id)
+
     vars["ipv6_uplink_own_gateway"] = self.calculate_address("ipv6_uplink_network", (id << 16*4)+1)
     vars["ipv6_uplink_own_vpnserver"] = self.calculate_address("ipv6_uplink_network", (id << 16*4)+2)
 

diff --git a/playbooks/babelserver.yml b/playbooks/babelserver.yml
@@ -0,0 +1,31 @@
+---
+- hosts: babelservers
+  vars:
+    yanic_version: respondd
+    yanic_respondd: true
+    yanic_respondd_babel: true
+    yanic_respondd_batman: []
+    yanic_respondd_listen_clientdev:
+      - babel-ffhb
+      - mmfd0
+  roles:
+  - { role: etckeeper-pre, tags: [etckeeper-pre] }
+  - { role: apt, tags: [apt] }
+  - { role: openssh, tags: [openssh] }
+  - { role: rkhunter, tags: [rkhunter] }
+  - { role: etckeeper, tags: [etckeeper] }
+  - { role: monitoring-client, tags: [monitoring-client] }
+  - { role: respondd, tags: [respondd] }
+  - { role: babeld,  tags: [ babeld, babel ] }
+  - { role: l3roamd,  tags: [ l3roamd, babel ] }
+  - { role: mmfd,  tags: [ mmfd, babel ] }
+  - { role: wg-broker,  tags: [ wireguard, vpn ] }
+  - { role: jool, tags: [jool,plat,nat64] }
+  - { role: unbound, tags: [unbound,plat,dns64] }
+  - { role: system, tags: [system] }
+  - { role: tmpfs, tags: [tmpfs] }
+  - { role: tools, tags: [tools] }
+  - { role: motd, tags: [motd] }
+  - { role: nginx, tags: [nginx] }
+  - { role: speedtest, tags: [speedtest] }
+  - { role: etckeeper-post, tags: [etckeeper-post] }
diff --git a/roles/babeld/defaults/main.yml b/roles/babeld/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+babeld_repository: "https://dl.ffm.freifunk.net/debian-packages/ sid main"
+babeld_repository_key: 390BF305
+
+ffhb_routing_table: default-freifunk
+
+babel_bridge: babel-{{ site_code }}
+babel_interfaces_vpn: []
+babel_interfaces: "{{ [babel_bridge] + babel_interfaces_vpn }}"
diff --git a/roles/babeld/files/echotobabel b/roles/babeld/files/echotobabel
@@ -0,0 +1,12 @@
+#!/bin/bash
+PORT=33123
+
+count=0
+line="$1"
+while ! (echo -e "$line" | nc ::1 "$PORT" >/dev/null 2>&1)
+do
+  sleep 1
+  echo retrying to connect to babeld on port $PORT in script in PID $$, waited ${count}s >&2
+  count=$((count+1))
+done
+exit 0
diff --git a/roles/babeld/handlers/main.yml b/roles/babeld/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart babeld
+  service: name=babeld state=restarted
+
+- name: reload systemd
+  command: systemctl daemon-reload
diff --git a/roles/babeld/tasks/main.yml b/roles/babeld/tasks/main.yml
@@ -0,0 +1,56 @@
+- name: Add repository key for babeld and utils
+  apt_key: keyserver="{{ pgp_keyserver }}" id="{{babeld_repository_key}}"
+
+- name: Add repository for babeld and utils
+  apt_repository: repo="deb {{babeld_repository}}"
+
+- name: Install babeld
+  apt:
+    name:
+    - babeld
+    - netcat-openbsd
+    - bridge-utils
+
+- name: Create batman routing table
+  lineinfile:
+    dest: /etc/iproute2/rt_tables
+    line: "252 {{ ffhb_routing_table }}"
+    regexp: "^252 "
+
+- name: Upload babeld.conf
+  template: src=babeld.conf dest=/etc/babeld.conf
+  notify:
+  - restart babeld
+
+- name: Install interfaces file
+  template: >
+    src=interfaces
+    dest=/etc/network/interfaces.d/babel-{{site_code}}
+
+- name: Configure firewall
+  template: src=firewall.sh dest={{ firewall_path }}/30-babel-{{site_code}}
+  when: firewall_enabled
+  notify: reload firewall
+
+- name: Install babeld service
+  template: src=babeld.service dest=/etc/systemd/system/babeld.service
+  notify:
+  - reload systemd
+  - restart babeld
+
+- name: Copy echotobabel
+  copy: src=echotobabel dest=/usr/local/bin/echotobabel mode=750
+
+- name: Set interfaces up
+  command: ifup {{ item }}
+  register: ifup_result
+  changed_when: '"already configured" not in ifup_result.stderr'
+  with_items:
+  - "{{ babel_bridge }}"
+
+- name: Enable babeld
+  service:
+    name: babeld
+    enabled: yes
+    state: started
+
diff --git a/roles/babeld/templates/babeld.conf b/roles/babeld/templates/babeld.conf
@@ -0,0 +1,25 @@
+ipv6-subtrees true
+reflect-kernel-metric true
+import-table 252
+export-table 252
+local-port-readwrite 33123
+
+
+interface {{ babel_bridge }}
+{% for ifname in babel_interfaces_vpn %}
+interface {{ ifname }} type tunnel link-quality true
+{% endfor %}
+
+default enable-timestamps true
+default max-rtt-penalty 96
+out ip {{ babel_ipv6_client.address }}/128 deny
+redistribute ip {{ babel_ipv6_client.address }}/128 deny
+redistribute ip {{ ipv6_babelclient_network }} eq 128 allow
+redistribute ip fd2f:5119:f2c::/64 eq 128  allow
+redistribute ip {{ ipv6_babelmesh_network }} eq 128 allow
+# jool nat64
+redistribute ip fd2f:5119:f2c:624::/48 eq 96  allow
+redistribute ip fd2f:5119:f2c:426::/48 eq 96  allow
+# redistribute src-ip 2a06:8187:fb00::/40 ip ::/0 allow
+redistribute ip ::/0 allow
+redistribute local deny
diff --git a/roles/babeld/templates/babeld.service b/roles/babeld/templates/babeld.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=babeld
+Wants=basic.target
+After=basic.target network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/local/bin/babeld -D -c /etc/babeld.conf
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/babeld/templates/firewall.sh b/roles/babeld/templates/firewall.sh
@@ -0,0 +1,9 @@
+# babeld control
+ipt -A INPUT -i lo -p tcp --dport 33123 -j ACCEPT
+
+# babeld routing
+ipt6 -A INPUT -i babel-+ -p udp --dport 6696 -j ACCEPT
+
+#forwarding between babel interfaces
+ipt6 -A FORWARD -o babel-+ -i babel-+ -j ACCEPT
+
diff --git a/roles/babeld/templates/interfaces b/roles/babeld/templates/interfaces
@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+
+auto {{ babel_bridge }}
+iface {{ babel_bridge }} inet6 static
+	bridge_ports none
+	bridge-maxwait 0
+	# set interface up
+	up ip link set $IFACE up
+	down ip link set $IFACE down
+	address {{ babel_ipv6_mesh.address }}
+	netmask 128
+
+	post-up  ip -6 rule add from {{ babel_ipv6_mesh.address }} table {{ ffhb_routing_table }} priority 16385
+	pre-down ip -6 rule del from {{ babel_ipv6_mesh.address }} table {{ ffhb_routing_table }} priority 16385
+	post-up  ip -6 rule add iif $IFACE table {{ ffhb_routing_table }} priority 16385
+	pre-down ip -6 rule del iif $IFACE table {{ ffhb_routing_table }} priority 16385
+
+	post-up  ip -6 rule add to {{ ipv6_babelmesh_network }} table {{ ffhb_routing_table }} priority 16385
+	pre-down ip -6 rule del to {{ ipv6_babelmesh_network }} table {{ ffhb_routing_table }} priority 16385
+	post-up  ip -6 rule add to {{ ipv6_babelclient_network }} table {{ ffhb_routing_table }} priority 16385
+	pre-down ip -6 rule del to {{ ipv6_babelclient_network }} table {{ ffhb_routing_table }} priority 16385
+	post-up  ip -6 rule add to fd2f:5119:f2c:624::/48 table {{ ffhb_routing_table }} priority 16385
+	pre-down ip -6 rule del to fd2f:5119:f2c:624::/48 table {{ ffhb_routing_table }} priority 16385
+	post-up  ip -6 rule add from {{ ipv6_babelmesh_network }} table {{ ffhb_routing_table }} priority 16385
+	pre-down ip -6 rule del from {{ ipv6_babelmesh_network }} table {{ ffhb_routing_table }} priority 16385
+	post-up  ip -6 rule add from {{ ipv6_babelclient_network }} table {{ ffhb_routing_table }} priority 16385
+	pre-down ip -6 rule del from {{ ipv6_babelclient_network }} table {{ ffhb_routing_table }} priority 16385
+	post-up  ip -6 rule add from fd2f:5119:f2c:624::/48 table {{ ffhb_routing_table }} priority 16385
+	pre-down ip -6 rule del from fd2f:5119:f2c:624::/48 table {{ ffhb_routing_table }} priority 16385
+
+	post-up  ip -r r add {{ babel_ipv6_mesh.address }}/128 dev $IFACE proto 159 table {{ ffhb_routing_table }}
diff --git a/roles/firewall/files/firewall.service b/roles/firewall/files/firewall.service
@@ -1,9 +1,6 @@
 [Unit]
 Description=Firewall
-DefaultDependencies=no
 Before=network.target
-Requires=systemd-modules-load.service local-fs.target
-After=systemd-modules-load.service local-fs.target
 
 [Service]
 Type=oneshot