Build access zone image

[dn0]

Objective: to have a zone image that is configurable using mdata.

Desirable features:

• routing enabled
• DHCP client enabled on all interfaces
• setup firewall + nat
• mapping ports to inside hosts (reverse nat)

Bonus features:

• OpenVPN
• integrated EasyRSA
• capability of CARP/VRRP
• Zabbix proxy

Can be based on this howto https://docs.danubecloud.org/user-guide/howto/access_zone.html

It can be hardcoded that net0 is the WAN interface.

Proposal of mdata variables ('x' is the number of the network interface):

• NAT_ENABLE - default: true. If false, IP addresses will be forwarded without NAT. It is on maintainer/creators's decision if following reverse nat settings will be applicable if NAT_ENABLE=false.
• REVERSE_NAT_RULES_TCP - either json or comma separated pairs. These ports on WAN interface will be forwarded to internal hosts. Format: external_port:internal_ip_address[:dst_port],external_port2:internal_ip_address2[:dst_port2] e.g. "80:10.0.0.100:80,443:10.0.0.100:443,53:10.0.0.102:53
• REVERSE_NAT_RULES_UDP
• NETx_SOURCES_ALLOW - default: any. Format: comma separated list of hosts or subnets, e.g. 44.33.22.11,50.60.70.0/24
• NETx_ALLOWED_PORTS_TCP - default: any. Format: comma separated list of port numbers
• NETx_ALLOWED_PORTS_UDP
• OPENVPN_ENABLE - default: false
• OPENVPN_CA_NAME - generate self-signed certificate for creating openvpn client certificates. New user certificates can be created using easyrsa script (instructions how to do it can be put into /etc/motd)
• NETx_CARP_ENABLE - default: false
• NETx_CARP_VIP
• NETx_CARP_WEIGHT

[ricco386]

We have an ansible roles (es-server, es-update, ipf, openvpn) that does build part of this access zone (dnsmasq can be added as required package in the playbook).

I have created zabbix templates t_svc-dnsmasq and t_svc-openvpn that does motnitor service status and also processes, also with alerting. I have also created t_role-zone-access that includes this monitoring templates and can be reused for this appliance.

[YanChii]

Superseded by opnsense image. Also, SunOS zones are becoming obsolete, so we'll find other approach if needed. Closing.