X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=wrt-setup-local;h=00420030e328388d7ac79b000ee168cb420c7e18;hb=a199d585d33ace63662c0fea99a5c5d6d498d14b;hp=6201f866f924cce43312e5d25b047b62e2897c19;hpb=b5682902b6dce0a3d799e129877c8b43c4509774;p=automated-distro-installer

diff --git a/wrt-setup-local b/wrt-setup-local
index 6201f86..0042003 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -40,11 +40,6 @@ EOF
 
 
 
-dnsmasq_restart=false
-firewall_restart=false
-dev2=false
-test=false
-libremanage_host=wrt2
 
 secrets=false
 if [[ -e /root/router-secrets ]]; then
@@ -58,6 +53,12 @@ fi
 : ${hostname:=wrt}
 
 
+dnsmasq_restart=false
+firewall_restart=false
+dev2=false
+test=false
+client=false
+libremanage_host=wrt2
 lanip=1
 while getopts hm:t: opt; do
   case $opt in
@@ -317,6 +318,9 @@ if $client; then
   uset wireless.radio0.disabled false
   uset wireless.radio1.disabled true
 else
+  # defaults, just reseting in case client config ran
+  uset wireless.default_radio0.network lan
+  uset wireless.default_radio0.mode ap
   for x in 0 1; do
     uset wireless.default_radio$x.ssid "$ssid"
     uset wireless.default_radio$x.key $key
@@ -573,6 +577,18 @@ config rule
  option target           ACCEPT
  option dest_port        2208
 
+config redirect
+ option name sshbb8
+ option src              wan
+ option src_dport        2209
+ option dest_port        22
+ option dest_ip          $l.9
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2209
+
 config redirect
  option name icecast
  option src              wan
@@ -600,21 +616,7 @@ config rule
 
 
 config redirect
- option name vpntp
- option src              wan
- option src_dport        1196
- option dest             lan
- option dest_ip          $l.8
- option proto            udp
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        1196
- option proto            udp
-
-
-config redirect
- option name httptp
+ option name httpkd
  option src              wan
  option src_dport        80
  option dest             lan
@@ -627,7 +629,7 @@ config rule
  option proto            tcp
 
 config redirect
- option name httpstp
+ option name httpskd
  option src              wan
  option src_dport        443
  option dest             lan
@@ -698,46 +700,26 @@ EOF
 }
 firewall-cedit || firewall_restart=true
 
-if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
-  # cant mix cedit plus uci
-  echo | cedit /etc/config/firewall ||:
-  uci add_list firewall.@zone[1].network=wg0
-  uci commit firewall
-  firewall-cedit ||:
-  firewall_restart=true
-fi
+# not using wireguard for now
+# if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
+#   # cant mix cedit plus uci
+#   echo | cedit /etc/config/firewall ||:
+#   uci add_list firewall.@zone[1].network=wg0
+#   uci commit firewall
+#   firewall-cedit ||:
+#   firewall_restart=true
+# fi
 
 
 
 v cedit /etc/hosts <<EOF || dnsmasq_restart=true
 127.0.1.1 $hostname
-#$l.7 x3
-$l.12 demohost
-$l.13 trp
-72.14.176.105 li
-2600:3c00::f03c:91ff:fe6d:baf8 li
-
-# netns creation looks for next free subnet starting at 10.173, but I only
-# use one, and I would keep this one as the first created.
-10.173.0.2 transmission
 EOF
+# not sure this case statement is needed
 case $hostname in
   cmc)
     v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
 $l.1 $hostname
-$l.2 kd b8.nz
-#$l.3 frodo
-$l.4 wrt2
-$l.5 x2 faiserver
-$l.6 x2w
-$l.7 rp
-$l.8 tp
-$l.9 bb8
-$l.14 wrt3
-#$l.18 x3
-$l.19 brother
-$l.25 hp
-#$l.28 frodow
 EOF
     ;;
 esac
@@ -750,8 +732,9 @@ esac
 
 
 uset dhcp.@dnsmasq[0].domain b8.nz
-uset dhcp.@dnsmasq[0].local /b8.nz/
 uset system.@system[0].hostname $hostname
+uset dhcp.@dnsmasq[0].local
+
 # uci doesnt seem to have a way to set an empty value,
 # if you delete it, it goes back to the default. this seems
 # to be a decent workaround.
@@ -778,19 +761,25 @@ EOF
 # to start.
 mkdir -p /mnt/usb/tftpboot
 v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
-server=/dmarctest.b8.nz/#
-server=/_domainkey.b8.nz/#
-server=/_dmarc.b8.nz/#
-server=/ns1.b8.nz/#
-server=/ns2.b8.nz/#
-server=/bk.b8.nz/#
-server=/je.b8.nz/#
-mx-host=b8.nz,mail.iankelling.org,10
-txt-record=b8.nz,"v=spf1 a ?all"
-
+server=/b8.nz/#
+ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
+ptr-record=2.0.2.10.in-addr.arpa.,kd.b8.nz
+ptr-record=3.0.2.10.in-addr.arpa.,sy.b8.nz
+ptr-record=4.0.2.10.in-addr.arpa.,wrt2.b8.nz
+ptr-record=5.0.2.10.in-addr.arpa.,x2.b8.nz
+ptr-record=6.0.2.10.in-addr.arpa.,xw2.b8.nz
+ptr-record=7.0.2.10.in-addr.arpa.,syw.b8.nz
+ptr-record=8.0.2.10.in-addr.arpa.,tp.b8.nz
+ptr-record=9.0.2.10.in-addr.arpa.,bb8.b8.nz
+ptr-record=12.0.2.10.in-addr.arpa.,demohost.b8.nz
+ptr-record=14.0.2.10.in-addr.arpa.,wrt3.b8.nz
+ptr-record=19.0.2.10.in-addr.arpa.,brother.b8.nz
+ptr-record=25.0.2.10.in-addr.arpa.,hp.b8.nz
+ptr-record=.0.2.10.in-addr.arpa.,transmission.b8.nz
 
 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
 stop-dns-rebind
+rebind-domain-ok=b8.nz
 
 # this says the ip of default gateway and dns server,
 # but I think they are unneded and default
@@ -828,27 +817,28 @@ server=2001:4860:4860::8844
 # default dhcp range is 100-150
 # bottom port,  iPXE (PCI 03:00.0) in seabios boot menu
 dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
+dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.3,sy
 # top port, iPXE (PCI 04:00.0) in seabios boot menu
 #dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
-dhcp-host=00:26:18:97:bb:16,set:frodo,$l.3,frodo
 # 4 is reserved for a staticly configured host wrt2
 # old x2 with bad fan
 #dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
 dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
 dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
+dhcp-host=34:7d:f6:ed:ec:07,set:syw,$l.7,syw
+dhcp-host=80:fa:5b:1c:6e:cf,set:tp,$l.8,tp
 # This is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
 # reformatted. The mac is from doing a virt-install, cancelling it,
 # and copying the generated mac, so it should be randomish.
-dhcp-host=fa:08:f8:4c:14:1c,set:tp,$l.7,rp
-dhcp-host=80:fa:5b:1c:6e:cf,set:tp,$l.8,tp
 dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
 dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
-dhcp-host=00:1f:16:14:01:d8,set:tp,$l.18,x3
+dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
 # BRN001BA98CA823 in dhcp logs
-dhcp-host=00:1b:a9:8c:a8:23,set:tp,$l.19,brother
-dhcp-host=38:63:bb:07:5a:f9,set:tp,$l.25,hp
+dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
+dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
 dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+dhcp-host=00:26:18:97:bb:16,set:frodo,$l.29,frodo
 
 
 # faiserver vm
@@ -873,6 +863,19 @@ EOF
 
 
 if $dnsmasq_restart && ! $dev2; then
+  # todo: can our ptr records be put in /etc/hosts?
+  # eg: user normal /etc/hosts records, and they wont be used for A resolution
+  # due to the other settings, but will be used for ptr? then maybe
+  # we dont have to restart dnsmasq for a dns update?
+  #
+  # todo: according to this
+  # https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local-dnssec-validators.html#toggling-dnssec-validation-1
+  # we should turn on dnssec validation when wrt gets version > 2.80. currently at 2.80.
+  # todo: download https://downloads.openwrt.org/snapshots/packages/mipsel_24kc/base/dnsmasq-full_2.84-1_mipsel_24kc.ipk
+  # and install it. then we can turn off dnssec in systemd-resolved
+  #
+  # Also, reload of dnsmasq seems to break things, wifi
+  # clients were not getting internet connectivity.
   v /etc/init.d/dnsmasq restart
 fi