search

freifunkh / ansible

Here we store all Ansible roles and configs used for Freifunk Hannover.
MIT License
7 stars 3 forks source link

gre without legacy IP #234

Open AiyionPrime opened 2 years ago

AiyionPrime commented 2 years ago

Currently the field ip4 in group_vars/all/nodes.yml is mandatory for the supernode role regarding gre- and gt-netdevs:

roles/ffh.supernode/templates/gt-netdev.j2:7:Remote={{ supernodes[item.key].ip4 }}
roles/ffh.supernode/templates/gt-netdev.j2:9:Local={{ supernodes[servername].ip4 }}
roles/ffh.supernode/templates/gre-netdev.j2:7:Local={{ supernodes[servername].ip4 }}
roles/ffh.supernode/templates/gre-netdev.j2:8:Remote={{ exitnodes[item.key].ip4 }}

on the exitnodeside their pendants:

roles/ffh.exitnode/templates/gre-netdev-super.j2:7:Local={{ exitnodes[servername].ip4 }}
roles/ffh.exitnode/templates/gre-netdev-super.j2:8:Remote={{ supernodes[item.key].ip4 }}

similarly

roles/ffh.exitnode/templates/gre-netdev-exit.j2:7:Local={{ exitnodes[servername].ip4 }}
roles/ffh.exitnode/templates/gre-netdev-exit.j2:8:Remote={{ exitnodes[item.key].ip4 }}

each with corresponding ferm parts:

roles/ffh.supernode/templates/ferm.gre.conf.j2:8:       saddr {{ item.value.ip4 }}/32 proto gre ACCEPT; # {{ item.key }}
roles/ffh.supernode/templates/ferm.gre.conf.j2:12:       saddr {{ item.value.ip4 }}/32 proto gre ACCEPT; # {{ item.key }}

and 

roles/ffh.exitnode/templates/ferm.conf.j2:29:          saddr {{ item.value.ip4 }}/32 ACCEPT; # {{ item.key }}
roles/ffh.exitnode/templates/ferm.conf.j2:32:          saddr {{ item.value.ip4 }}/32 ACCEPT; # {{ item.key }}

Looking at the first block above, could we do this connections in v6 if v4 was not defined for a host? Or possibly simpler, could we switch this to IPv6?

lemoer commented 2 years ago

Not directly. In systemd, ip6gre and ip6gretap are different interface types. See man systemd.netdev.

Currently all our supernodes support ipv4 anyways. So there was no need to support ip6gre or ip6gretap yet.

AiyionPrime commented 2 years ago

Currently all our supernodes support ipv4 anyways. So there was no need to support ip6gre or ip6gretap yet.

Well, let me introduce you to our new sn03...

Not directly. In systemd, ip6gre and ip6gretap are different interface types. See man systemd.netdev.

That I know, you've shown me that before I think. I'd propose we configure ipv6 gre(tap)s between sn03 and an exitnode, and if we get thaat working, rewrite that part in ansible, to configure IPv6 tunnels between the super and exitnodes and use v4 as fallback.

Or do you expect performance issues if we let them work their traffic via v6 instead of v4?

AiyionPrime commented 2 years ago

I'd really like the Idea of not having mandatory v4 addresses for our supernodes. Regarding sn03: it won't have IPv4 for the duration of the testphase (six weeks starting yesterday) but will likely have it later.