dn42-router/host_vars/laplace.mk16.de/firewall.yml

---
firewall:
  tailscale: true
  bgp:
    - interface: lab
      addresses:
        - fd00:8e13:ce5e:b9af:3e5b:098f:a1bd:1
  bfd:
    - interface: lab
      prefix: fd00:8e13:ce5e:b9af:3e5b:98f:a1bd:0/127

  rules:
    # I2P
    - !vault |
          $ANSIBLE_VAULT;1.1;AES256
          36626666643365343333383831626531636633346536343862353738323135396161636163373730
          6663326331326661383963353664346439356361626238310a313133666666326163316537393839
          64353638353335326330336364363164353935366136376433643038316531653963616665343237
          3865666230306137300a376435646466303437373638386531346163316133306139663865396432
          61623533356634613531616263646134373635313362333066643434313661353039393534316437
          34326464666333623131363239616439353862646461626663656437643533613133353163366538
          346631316636643766386238306162373063

  # wireguard and fastd ports are automatically opened
  rc:
    own_interfaces:
      - routercity
    interfaces:
      - p2pnode
      - p2prouter
      - herzstein
      - stricker
      - trolljaeger
      - silvermoon
      - frostwood
      - beastwarden
  dnet:
    own_interfaces:
      - crxn
      - dn42
      - neo
    interfaces:
      - p2pnode
      - p2prouter
      - herzstein
      - stricker
      - trolljaeger
      - silvermoon
      - crxn_grisha
      - crxn_home
      - frostwood
      - lab
      - beastwarden
  clients:
    - interface: client13
      firewall: true
      allowed_ips:
        dnet_ipv4:
          - 172.22.149.117/32
        dnet_ipv6:
          - fd92:58b6:2b2:e::12/128