dch-gw: Host Pyrocufflink VPN locally

This commit adjusts the firewall and networking configuration on dc0 to
host the Pyrocufflink remote access IPsec VPN locally instead of
forwarding it to the internal VPN server.

group_vars/dch-gw/dch-network.yml

@@ -74,12 +74,6 @@ nat_port_forwards:
 - protocol: udp
   port: 16881-16999
   destination: 172.31.0.5
-- protocol: udp
-  port: isakmp
-  destination: 172.31.0.2
-- protocol: udp
-  port: ipsec-nat-t
-  destination: 172.31.0.2
 
 
 allow_incoming:

host_vars/gw0/network.yml

@@ -31,16 +31,6 @@ network:
     addr: 172.31.0.1
     prefix: 27
     addr6: fd99:8cd7:6528::1
-    routes:
-    - prefix: 172.31.0.64/28
-      nexthop:
-      - address: 172.31.0.2
-    - prefix: 192.168.0.0/16
-      nexthop:
-      - address: 172.31.0.2
-    - prefix: 172.28.33.0/24
-      nexthop:
-      - address: 172.31.0.2
   - ifname: vlan100
     enabled: true
     vlan_id: 100

roles/dch-gw/templates/forward.nft.j2

@@ -1,9 +1,10 @@
 {#- vim: set sw=4 ts=4 sts=4 et : #}
 table inet filter {
-    set firemon {
+    set vpn_subnets {
         type ipv4_addr
         flags interval
         elements = {
+            172.31.0.64/28,
 {% for prefix in firemon_networks %}
             {{ prefix }},
 {% endfor %}
@@ -15,7 +16,8 @@ table inet filter {
         iifname {{ dch_networks.guest.router_iface }} oif != {{ internet_iface }} drop
         iif != {{ internet_iface }} oifname {{ dch_networks.guest.router_iface }} drop
         iif != {{ internet_iface }} oif != {{ internet_iface }} counter accept
-        ip daddr @firemon counter accept
+        iif {{ internet_iface }} ip saddr @vpn_subnets counter accept
+        iif != {{ internet_iface }} ip daddr @vpn_subnets counter accept
         tcp dport smtp counter reject with icmpx type host-unreachable
         oif {{ internet_iface }} accept
     }

roles/dch-gw/templates/incoming.nft.j2

@@ -24,8 +24,9 @@ table inet filter {
         ct state established,related accept
         iif lo accept
         ip6 nexthdr ipv6-icmp accept
-        ip protocol icmp accept
+        ip protocol { icmp, esp } accept
         udp sport dhcpv6-server counter accept
+        udp dport { isakmp, ipsec-nat-t } ct state new counter accept
         iif != {{ internet_iface }} tcp dport @allow_tcp_in ct state new counter accept
         iif != {{ internet_iface }} udp dport @allow_udp_in ct state new counter accept
         iif {{ internet_iface }} drop

roles/dch-gw/templates/masquerade.nft.j2

@@ -1,5 +1,17 @@
 table ip nat {
+    set vpn_subnets {
+        type ipv4_addr
+        flags interval
+        elements = {
+            172.31.0.64/28,
+{% for prefix in firemon_networks %}
+            {{ prefix }},
+{% endfor %}
+        }
+    }
+
     chain postrouting {
+        ip daddr @vpn_subnets counter accept
         oif {{ ansible_default_ipv4.interface }} masquerade
     }
 }

roles/dch-gw/templates/outgoing.nft.j2

@@ -24,7 +24,7 @@ table inet filter {
         ct state established,related accept
         oif lo accept
         ip6 nexthdr ipv6-icmp accept
-        ip protocol icmp accept
+        ip protocol { icmp, esp } accept
         tcp dport @allow_tcp_out ct state new counter accept
         udp dport @allow_udp_out ct state new counter accept
     }