Git URL angepasst

ensure that dhcp server is stopped or started depending on gw mode

README.md

@@ -20,7 +20,7 @@ design pattern.
   do that manually or run a small `ff_gw::sysadmin`-only manifest before the
   main `ff_gw` manifest.
 * User root requires ssh access to the git repository
-  `git@freifunk-gw01.hamburg.ccc.de:fastdkeys` --
+  `git@git.hamburg.freifunk.net:fastdkeys` --
   so create a key and have it authorized beforehand.
 
 ## Usage

data/peering.yaml

@@ -17,9 +17,6 @@ peerings_v4:
   hamburg09:
     template: locals
     ip: 10.112.24.1
-  hamburg11:
-    template: locals
-    ip: 10.112.28.1
   hamburg12:
     template: locals
     ip: 10.112.30.1
@@ -201,7 +198,30 @@ ic_peerings_v4:
     template: peers
     ip: 10.207.0.8
     as: 65530
-
+  Dreilaendereck1:
+    template: peers
+    ip: 10.207.0.75
+    as: 65043
+  Flensburg1:
+    template: peers
+    ip: 10.207.0.129
+    as: 65056
+  Guetersloh1:
+    template: peers
+    ip: 10.207.0.132
+    as: 65533
+  Guetersloh4:
+    template: peers
+    ip: 10.207.0.134
+    as: 65533
+  Magdeburg1:
+    template: peers
+    ip: 10.207.39.1
+    as: 65039
+  Magdeburg2:
+    template: peers
+    ip: 10.207.39.2
+    as: 65039
 
 peerings_v6:
   srv01:
@@ -251,7 +271,7 @@ ic_peerings_v6:
     ip: fec0::a:cf:0:19
     as: 65025
   Berlin1:
-    template: peers
+    template: upstream
     ip: fec0::a:cf:0:5
     as: 44194
   Bielefeld1:
@@ -290,6 +310,10 @@ ic_peerings_v6:
     template: peers
     ip: fec0::a:cf:0:51
     as: 65526
+  Kiel0:
+    template: peers
+    ip: fec0::a:cf:0:34
+    as: 65525
   Kiel1:
     template: peers
     ip: fec0::a:cf:0:35
@@ -342,3 +366,27 @@ ic_peerings_v6:
     template: peers
     ip: fec0::a:cf:0:8
     as: 65530
+  Dreilaendereck1:
+    template: peers
+    ip: fec0::a:cf:0:be
+    as: 65043
+  Flensburg1:
+    template: peers
+    ip: fec0::a:cf:0:10
+    as: 65056
+  Guetersloh1:
+    template: peers
+    ip: fec0::a:cf:0:84
+    as: 65533
+  Guetersloh4:
+    template: peers
+    ip: fec0::a:cf:0:86
+    as: 65533
+  Magdeburg1:
+    template: peers
+    ip: fec0::a:cf:39:1
+    as: 65039
+  Magdeburg1:
+    template: peers
+    ip: fec0::a:cf:39:2
+    as: 65039

files/etc/iptables/rules.v4

@@ -1,26 +1,31 @@
-# Generated by iptables-save v1.4.14 on Sun Mar 24 14:14:50 2013
-*filter
-:INPUT ACCEPT [273:40363]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [194:28568]
-COMMIT
-# Completed on Mon Mar 25 19:41:40 2013
-# Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013
-*mangle
-:PREROUTING ACCEPT [286:41734]
-:INPUT ACCEPT [273:40363]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [194:28568]
-:POSTROUTING ACCEPT [194:28568]
--A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff
-COMMIT
-# Completed on Mon Mar 25 19:41:40 2013
-# Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013
+# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
 *nat
-:PREROUTING ACCEPT [15:1459]
-:INPUT ACCEPT [2:88]
-:OUTPUT ACCEPT [1:74]
-:POSTROUTING ACCEPT [1:74]
+:PREROUTING ACCEPT [1508898:60980199]
+:INPUT ACCEPT [85622:9125051]
+:OUTPUT ACCEPT [195829:12103496]
+:POSTROUTING ACCEPT [194526:11989631]
 -A POSTROUTING -o mullvad -j MASQUERADE
 COMMIT
-# Completed on Mon Mar 25 19:41:40 2013
+# Completed on Mon Aug 18 22:31:43 2014
+# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
+*mangle
+:PREROUTING ACCEPT [100732184:31760093690]
+:INPUT ACCEPT [88878861:23870786312]
+:FORWARD ACCEPT [10499612:7842070628]
+:OUTPUT ACCEPT [158193447:33293545226]
+:POSTROUTING ACCEPT [168692266:41135440990]
+-A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff
+-A PREROUTING -i mullvad -j MARK --set-xmark 0x1/0xffffffff
+COMMIT
+# Completed on Mon Aug 18 22:31:43 2014
+# Generated by iptables-save v1.4.14 on Mon Aug 18 22:31:43 2014
+*filter
+:INPUT ACCEPT [88878720:23870769673]
+:FORWARD ACCEPT [10499612:7842070628]
+:OUTPUT ACCEPT [158192660:33293370754]
+-A INPUT -i mullvad -m state --state INVALID,NEW,UNTRACKED -j DROP
+-A FORWARD -i mullvad -m state --state INVALID,NEW,UNTRACKED -j DROP
+-A FORWARD -o eth0 -j DROP
+-A FORWARD -i eth0 -j DROP
+COMMIT
+# Completed on Mon Aug 18 22:31:43 2014

files/etc/iptables/rules.v6

@@ -0,0 +1,20 @@
+# Generated by ip6tables-save v1.4.14 on Mon Aug 18 22:31:43 2014
+*mangle
+:PREROUTING ACCEPT [347182:29416089]
+:INPUT ACCEPT [95377:10719074]
+:FORWARD ACCEPT [50710:3964545]
+:OUTPUT ACCEPT [108706:9522484]
+:POSTROUTING ACCEPT [161591:13748029]
+-A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff
+COMMIT
+# Completed on Mon Aug 18 22:31:43 2014
+# Generated by ip6tables-save v1.4.14 on Mon Aug 18 22:31:43 2014
+*filter
+:INPUT ACCEPT [1244932:115240832]
+:FORWARD ACCEPT [51046:3997994]
+:OUTPUT ACCEPT [1330577:118074893]
+-A INPUT -m rt --rt-type 0 -j DROP
+-A FORWARD -m rt --rt-type 0 -j DROP
+-A OUTPUT -m rt --rt-type 0 -j DROP
+COMMIT
+# Completed on Mon Aug 18 22:31:43 2014

files/etc/openvpn/hideme/hideme-up

@@ -0,0 +1,11 @@
+#!/bin/sh
+ip route replace 0.0.0.0/1 via $4 table 42
+ip route replace 128.0.0.0/1 via $4 table 42
+
+ip rule del priority 30000
+ip rule add priority 30000 from $4 table 42
+
+ip route flush cache
+
+/etc/openvpn/update-dnsmasq-forward
+exit 0

files/etc/openvpn/mullvad/mullvad-up

@@ -0,0 +1,5 @@
+#!/bin/sh
+ip route replace 0.0.0.0/1 via $5 table 42
+ip route replace 128.0.0.0/1 via $5 table 42
+/etc/openvpn/update-dnsmasq-forward
+exit 0

files/root/bin/autoupdate_fastd_keys.sh

@@ -2,6 +2,10 @@
 # Simple script to update fastd peers from git upstream
 # and only send HUP to fastd when changes happend.
 
+if [[ "$1" == "-v" ]]; then
+  VERBOSE=1
+fi
+
 # CONFIGURE THIS TO YOUR PEER DIRECTORY
 FASTD_PEERS=/etc/fastd/ffhh-mesh-vpn/peers
 
@@ -17,11 +21,11 @@ GIT_REVISION=$(getCurrentVersion)
 
 # Automagically commit local changes
 # This preserves local changes
-git commit -m "CRON: auto commit"
+git commit --quiet -m "CRON: auto commit" > /dev/null
 
 # Pull latest changes from upstream
-git fetch
-git merge origin/master -m "Auto Merge"
+git fetch --quiet
+git merge origin/master --quiet -m "Auto Merge"
 
 # Get new version hash
 GIT_NEW_REVISION=$(getCurrentVersion)
@@ -29,7 +33,7 @@ GIT_NEW_REVISION=$(getCurrentVersion)
 if [ $GIT_REVISION != $GIT_NEW_REVISION ]
 then
   # Version has changed we need to update
-  echo "Reload fastd peers"
+  test -n "$VERBOSE" && echo "Reload fastd peers"
   kill -HUP $(pidof fastd)
 fi
 

files/usr/local/bin/check_gateway

@@ -1,7 +1,8 @@
 #!/bin/bash
-INTERFACE=mullvad
+INTERFACE=mullvad        # Set to name of VPN interface
 shopt -s nullglob
 
+# Test whether gateway is connected to the outer world via VPN
 ping -q -I $INTERFACE 8.8.8.8 -c 4 -i 1 -W 5 >/dev/null 2>&1
 
 if test $? -eq 0; then
@@ -10,13 +11,41 @@ else
     NEW_STATE=off
 fi
 
+# Iterate through network interfaces in sys file system
 for MESH in /sys/class/net/*/mesh; do
+# Check whether gateway modus needs to be changed
 OLD_STATE="$(cat $MESH/gw_mode)"
 [ "$OLD_STATE" == "$NEW_STATE" ] && continue
-         echo $NEW_STATE > $MESH/gw_mode
-         echo 54MBit/54MBit > $MESH/gw_bandwidth
-         logger "batman gateway mode changed to $NEW_STATE"
+    echo $NEW_STATE > $MESH/gw_mode
+    echo 54MBit/54MBit > $MESH/gw_bandwidth
+    logger "batman gateway mode changed to $NEW_STATE"
+
+    # Check whether gateway modus has been deactivated
+    if [ "$NEW_STATE" == "off" ]; then
+        # Shutdown DHCP server to prevent renewal of leases
+        /usr/sbin/service isc-dhcp-server stop
+    fi
+
+    # Check whether gateway modus has been activated
+    if [ "$NEW_STATE" == "server" ]; then
+        # Restart DHCP server
+        /usr/sbin/service isc-dhcp-server start
+    fi
+    exit 0
 done
 
-# vim: noai:ts=4:sw=4:ff=unix:ft=text:fdm=marker
+if [ "$NEW_STATE" == "server" ]; then
+    /usr/sbin/service isc-dhcp-server status 2>&1> /dev/null
+    if [[ $? -ne 0 ]]
+    then
+        /usr/sbin/service isc-dhcp-server restart
+    fi
+fi
+if [ "$NEW_STATE" == "off" ]; then
+    /usr/sbin/service isc-dhcp-server status 2>&1> /dev/null
+    if [[ $? -eq 0 ]]
+    then
+        /usr/sbin/service isc-dhcp-server stop
+    fi
+fi
 

files/usr/share/munin/plugins/dhcp-pool

@@ -0,0 +1,192 @@
+#!/usr/bin/perl -w
+#
+# Copyright (C) 2008 Rien Broekstra <rien@rename-it.nl>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; version 2 dated June,
+# 1991.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+#
+# Munin plugin to measure saturation of DHCP pools.
+#
+# Configuration variables:
+#
+#       conffile     - path to dhcpd's configuration file (default "/etc/dhcpd.conf")
+#       leasefile    - path to dhcpd's leases file (default "/var/lib/dhcp/dhcpd.leases")
+#
+# Parameters:
+#
+#       config    (required)
+#
+# Version 1.0, 2-12-2008
+
+use POSIX;
+use Time::Local;
+use strict;
+
+my $CONFFILE = exists $ENV{'conffile'} ? $ENV{'conffile'} : "/etc/dhcpd.conf";
+my $LEASEFILE = exists $ENV{'leasefile'} ? $ENV{'leasefile'} : "/var/lib/dhcp/dhcpd.leases";
+
+if ( defined $ARGV[0] and $ARGV[0] eq "autoconf" ) {
+
+}
+elsif ( defined $ARGV[0] and $ARGV[0] eq "config" ) {
+    my (%pools, $start, $label);
+
+    # Print general information
+    print "graph_title DHCP pool usage (in %)\n";
+    print "graph_args --upper-limit 100 -l 0\n";
+    print "graph_vlabel %\n";
+    print "graph_category network\n";
+
+    # Determine the available IP pools
+    %pools = determine_pools();
+    
+    # Print a label for each pool
+    foreach $start (keys %pools) {
+	$label = ip2string($start);
+	$label =~ s/\./\_/g;
+	print "$label.label Pool ".ip2string($start)."\n";
+	print "$label.warning 75\n";
+	print "$label.critical 100\n";
+    }
+}
+else {
+    my (@activeleases, %pools, $start, $end, $size, $free, $label, $lease);
+    
+    # Determine all leased IP addresses 
+    @activeleases = determine_active_leases();
+    
+    # Determine the available IP pools
+    %pools = determine_pools();
+
+    # For each pool, count how many leases from that pool are currently active
+    foreach $start (keys %pools) {
+	$size = $pools{$start};
+	$end = $start+$size;
+	$free = $size;
+
+	foreach $lease (@activeleases) {
+	    if ($lease >= $start && $lease <= $end) {
+		$free--;
+	    }
+	}
+	$label = ip2string($start);
+	$label =~ s/\./\_/g;
+	print "$label.value ".sprintf("%.1f", 100*($size-$free)/$size)."\n";
+    }
+}
+
+# Parse dhcpd.conf for range statements.
+#
+# Returns a hash with start IP -> size
+sub determine_pools {
+    my (%pools, @conffile, $line, $start, $end, $size);
+
+    open(CONFFILE, "<${CONFFILE}") || exit -1;
+    @conffile = <CONFFILE>;
+    close (CONFFILE);
+
+    foreach $line (@conffile) {
+	if ($line =~ /range[\s]+([\d]+\.[\d]+\.[\d]+\.[\d]+)[\s]+([\d]+\.[\d]+\.[\d]+\.[\d]+)/) {
+	    $start = string2ip($1);
+	    $end = string2ip($2);
+	    $size = $end - $start;
+	    defined($start) || next;
+	    defined($end) || next;
+	    
+	    $pools{$start} = $size;
+	}
+    }
+    return %pools;
+}
+
+# Very simple parser for dhcpd.leases. This will break very easily if dhcpd decides to 
+# format the file differently. Ideally a simple recursive-descent parser should be used.
+#
+# Returns an array with currently leased IP's
+sub determine_active_leases {
+    my (@leasefile, $startdate, $enddate, $lease, @activeleases, $mytz, $line, %saw);
+
+    open(LEASEFILE, "<${LEASEFILE}") || exit -1;
+    @leasefile = <LEASEFILE>;
+    close (LEASEFILE);
+
+    @activeleases = ();
+
+    # Portable way of converting a GMT date/time string to timestamp is setting TZ to UTC, and then calling mktime()
+    $mytz = $ENV{'TZ'};
+    $ENV{'TZ'} = 'UTC 0';
+    tzset();
+
+    foreach $line (@leasefile) {
+	if ($line =~ /lease ([\d]+\.[\d]+\.[\d]+\.[\d]+)/) {
+	    $lease = string2ip($1);
+	    defined($lease) || next;
+
+	    undef $startdate;
+	    undef $enddate;
+	}
+	elsif ($line =~ /starts \d ([\d]{4})\/([\d]{2})\/([\d]{2}) ([\d]{2}):([\d]{2}):([\d]{2})/) {
+	    $startdate = mktime($6, $5, $4, $3, $2-1, $1-1900, 0, 0);
+	}
+	elsif ($line =~ /ends \d ([\d]{4})\/([\d]{2})\/([\d]{2}) ([\d]{2}):([\d]{2}):([\d]{2})/) {
+	    $enddate = mktime($6, $5, $4, $3, $2-1, $1-1900, 0, 0);
+	    if (defined($enddate) && defined($startdate) && defined($lease)) {
+		if ($startdate < time() && $enddate > time()) {
+		    push (@activeleases, $lease);
+		}
+	    }
+	}
+
+    }
+    
+    # Set TZ back to its original setting
+    if (defined($mytz)) {
+	$ENV{'TZ'} = $mytz;
+    }
+    else {
+	delete $ENV{'TZ'};
+    }
+    tzset();
+
+    # Sort the array, strip doubles, and return
+    return grep(!$saw{$_}++, @activeleases);
+}
+
+#
+# Helper routine to convert an IP address a.b.c.d into an integer
+#
+# Returns an integer representation of an IP address
+sub string2ip {
+    my $string = shift;
+    defined($string) || return undef;
+    if ($string =~ /([\d]+)\.([\d]+)\.([\d]+)\.([\d]+)/) {
+	if ($1 < 0 || $1 > 255 || $2 < 0 || $2 > 255 || $3 < 0 || $3 > 255 || $4 < 0 || $4 > 255) {
+	    return undef;
+	}
+	else {
+	    return $1 << 24 | $2 << 16 | $3 << 8 | $4;
+	}
+    }
+    return undef;
+}
+	    
+#
+# Returns a dotted quad notation of an 
+#
+sub ip2string {
+    my $ip = shift;
+    defined ($ip) || return undef;
+    return sprintf ("%d.%d.%d.%d", ($ip >> 24) & 0xff, ($ip >> 16) & 0xff, ($ip >> 8) & 0xff, $ip & 0xff);
+}

manifests/init.pp

@@ -5,6 +5,7 @@ class ff_gw(
   $mesh_mac,
   $gw_ipv4, $gw_ipv4_netmask   = '255.255.192.0',
   $gw_ipv6, $gw_ipv6_prefixlen = '64',
+  $gw_pub_ipv6, $gw_pub_ipv6_prefixlen = '64',
   $secret_key,                                      # for fastd
   $vpn_provider = 'mullvad',                        # supported: mullvad or hideme
   $vpn_ca_crt   = false,                            # openvpn CA cert to verify server
@@ -26,6 +27,8 @@ class ff_gw(
     gw_ipv4_netmask   => $gw_ipv4_netmask,
     gw_ipv6           => $gw_ipv6,
     gw_ipv6_prefixlen => $gw_ipv6_prefixlen,
+    gw_pub_ipv6           => $gw_pub_ipv6,
+    gw_pub_ipv6_prefixlen => $gw_pub_ipv6_prefixlen,
     secret_key        => $secret_key,
   }
   ->
@@ -95,7 +98,7 @@ class ff_gw::software {
   }
 }
 
-class ff_gw::fastd($mesh_mac, $gw_ipv4, $gw_ipv4_netmask, $gw_ipv6, $gw_ipv6_prefixlen, $secret_key) {
+class ff_gw::fastd($mesh_mac, $gw_ipv4, $gw_ipv4_netmask, $gw_ipv6, $gw_ipv6_prefixlen, $gw_pub_ipv6, $gw_pub_ipv6_prefixlen, $secret_key) {
   validate_re($mesh_mac, '^de:ad:be:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}$')
   # TODO: parameterize interface names
   $br_if   = 'br-ffhh'
@@ -138,6 +141,7 @@ class ff_gw::fastd($mesh_mac, $gw_ipv4, $gw_ipv4_netmask, $gw_ipv6, $gw_ipv6_pre
         "set iface[. = '${br_if}'][1]/bridge-ports none",
         "set iface[. = '${br_if}'][1]/address ${gw_ipv6}",
         "set iface[. = '${br_if}'][1]/netmask ${gw_ipv6_prefixlen}",
+        "set iface[. = '${br_if}'][1]/post-up '/sbin/ip -6 addr add ${gw_pub_ipv6}/${gw_pub_ipv6_prefixlen} dev \$IFACE'",
       ],
   }
   ->
@@ -167,7 +171,6 @@ class ff_gw::fastd($mesh_mac, $gw_ipv4, $gw_ipv4_netmask, $gw_ipv6, $gw_ipv6_pre
         "set iface[. = '${bat_if}']/up 'ip link set \$IFACE up'",
         "set iface[. = '${bat_if}']/post-up[1] 'brctl addif ${br_if} \$IFACE'",
         "set iface[. = '${bat_if}']/post-up[2] 'batctl it 10000'",
-        "set iface[. = '${bat_if}']/post-up[3] '/sbin/ip rule add from all fwmark 0x1 table 42'",
         "set iface[. = '${bat_if}']/pre-down 'brctl delif ${br_if} \$IFACE || true'",
         "set iface[. = '${bat_if}']/down 'ip link set \$IFACE down'",
       ];
@@ -176,7 +179,7 @@ class ff_gw::fastd($mesh_mac, $gw_ipv4, $gw_ipv4_netmask, $gw_ipv6, $gw_ipv6_pre
   vcsrepo { '/etc/fastd/ffhh-mesh-vpn/peers':
     ensure   => present,
     provider => git,
-    source   => 'git@freifunk-gw01.hamburg.ccc.de:fastdkeys',
+    source   => 'git@git.hamburg.freifunk.net:fastdkeys',
   }
 
   cron {
@@ -393,7 +396,9 @@ class ff_gw::radvd($own_ipv6) {
     context => '/files/etc/sysctl.conf',
     changes => [
       'set net.ipv4.ip_forward 1',
-      'set net.ipv6.conf.all.forwarding 1'
+      'set net.ipv6.conf.all.forwarding 1',
+      'set net.ipv4.icmp_errors_use_inbound_ifaddr 1',
+      'set net.ipv4.netfilter.ip_conntrack_max 65536'
     ],
   }
   ~>
@@ -444,13 +449,9 @@ class ff_gw::vpn($provider, $ca_crt, $usr_crt, $usr_key, $usr_name, $usr_pass, $
       ensure  => file,
       content => $ca_crt;
     "/etc/openvpn/${provider}/${provider}-up":
-      ensure  => file,
-      mode    => '0755',
-      content => '#!/bin/sh
-ip route replace 0.0.0.0/1 via $5 table 42
-ip route replace 128.0.0.0/1 via $5 table 42
-/etc/openvpn/update-dnsmasq-forward
-exit 0';
+      ensure => file,
+      mode   => '0755',
+      source => "puppet:///modules/ff_gw/etc/openvpn/${provider}/${provider}-up";
     "/etc/openvpn/${provider}.conf":
       ensure => file,
       source => "puppet:///modules/ff_gw/etc/openvpn/${provider}.conf";
@@ -482,9 +483,12 @@ class ff_gw::iptables {
     '/etc/iptables/rules.v4':
       ensure => file,
       source => 'puppet:///modules/ff_gw/etc/iptables/rules.v4';
+    '/etc/iptables/rules.v6':
+      ensure => file,
+      source => 'puppet:///modules/ff_gw/etc/iptables/rules.v6';
     '/etc/rc.local':
       ensure  => file,
-      content => '#!/bin/sh -e
+      content => '#!/bin/sh
 # managed by puppet
 #
 # rc.local
@@ -500,6 +504,9 @@ class ff_gw::iptables {
 
 /sbin/ip route add unreachable default table 42
 /sbin/ip rule add from all fwmark 0x1 table 42
+/sbin/ip -6 rule add from all fwmark 0x1 table 42
+/bin/echo 8192 > /sys/module/nf_conntrack/parameters/hashsize
+/sbin/ip -6 rule add priority 30000 from all fwmark 0x1 table 43
 exit 0';
   }
   ~>
@@ -510,7 +517,7 @@ exit 0';
   }
 }
 
-class ff_gw::bird($ff_net, $ff_mesh_net, $ff_as, $own_ipv4, $own_ipv6, $gw_do_ic_peering, $ic_vpn_ip6, $version = '1.4.3-2~bpo70+1') {
+class ff_gw::bird($ff_net, $ff_mesh_net, $ff_as, $own_ipv4, $own_ipv6, $gw_do_ic_peering, $ic_vpn_ip6, $version = '1.4.4-1~bpo70+1') {
   # read peering data from data file
   $module_path = get_module_path($module_name)
   $peeringdata = loadyaml("${module_path}/data/peering.yaml")

manifests/sysadmin.pp

@@ -1,6 +1,5 @@
 # kitchen sink class for various small settings
 class ff_gw::sysadmin($zabbixserver = '127.0.0.1', $muninserver = '127.0.0.1', $sethostname = false, $setip = false, $accounts = {}) {
-
   # first of all: fix my hostname
   if $sethostname and $setip {
     # set system hostname
@@ -11,55 +10,24 @@ class ff_gw::sysadmin($zabbixserver = '127.0.0.1', $muninserver = '127.0.0.1', $
   }
 
   # next important thing: set up apt repositories
-  #
-  class { '::apt':
-    always_apt_update => true
-  }
-  # use backports repo
-  apt::source { 'wheezy-backports':
-    location => 'http://ftp.de.debian.org/debian/',
-    release  => 'wheezy-backports',
-    repos    => 'main',
-  }
-  # batman repo
-  apt::source { 'universe-factory':
-    location   => 'http://repo.universe-factory.net/debian/',
-    release    => 'sid',
-    repos      => 'main',
-    key        => '16EF3F64CB201D9C',
-    key_server => 'pool.sks-keyservers.net',
-  }
-  # bird repo // TODO: no PGP key
-  apt::source { 'bird-network':
-    location   => 'http://bird.network.cz/debian/',
-    release    => 'wheezy',
-    repos      => 'main',
-  }
-
-  # then install some basic packages
-  package {
-    ['vim-nox', 'git', 'etckeeper', 'pv', 'curl', 'atop',
-    'screen', 'tcpdump', 'rsync', 'file', 'psmisc', 'ntpdate']:
-      ensure => installed,
-  }
-  ->
-  # remove atop cronjob
-  file { '/etc/cron.d/atop':
-    ensure => absent,
-  }
-  ->
-  # stop atop daemon (cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506191)
-  service { 'atop':
-    ensure  => stopped,
-    enable  => false,
-  }
+  class { 'ff_gw::sysadmin::software': }
 
+  # remove cronjob
   cron {
     'ntpdate-debian':
+      ensure  => absent,
       command => '/usr/sbin/ntpdate-debian',
       user    => root,
       minute  => '0';
   }
+  # replace with a real NTP daemon
+  package { 'ntp':
+    ensure => present,
+  }
+  ~>
+  service { 'ntp':
+    ensure => true,
+  }
 
   # user accounts
   create_resources('account', $accounts)
@@ -85,117 +53,11 @@ class ff_gw::sysadmin($zabbixserver = '127.0.0.1', $muninserver = '127.0.0.1', $
     enable => true,
   }
 
-  # zabbix
-  apt::source { 'zabbix':
-    location   => 'http://repo.zabbix.com/zabbix/2.2/debian',
-    release    => 'wheezy',
-    repos      => 'main',
-    key        => '79EA5ED4',
-    key_server => 'pgpkeys.mit.edu',
+  class { 'ff_gw::sysadmin::zabbix':
+    zabbixserver => $zabbixserver,
   }
-  ->
-  package { 'zabbix-agent':
-    ensure => latest;
-  }
-  ->
-  file { '/etc/zabbix/zabbix_agentd.d/argos_monitoring.conf':
-    ensure  => file,
-    content => "# managed by puppet
-Server=${zabbixserver}
-ServerActive=${zabbixserver}
-HostnameItem=${::hostname}
-";
-  }
-  ~>
-  service { 'zabbix-agent':
-    ensure => running,
-    enable => true,
-  }
-
-  # munin
-  package {
-    [ 'munin-node', 'vnstat', 'bc' ]:
-      ensure => installed,
-  }
-  ->
-  file {
-    '/etc/munin/munin-node.conf':
-      ensure  => file,
-      # mostly Debin pkg default
-      content => inline_template('# managed by puppet
-log_level 4
-log_file /var/log/munin/munin-node.log
-pid_file /var/run/munin/munin-node.pid
-
-background 1
-setsid 1
-
-user root
-group root
-
-# Regexps for files to ignore
-ignore_file [\#~]$
-ignore_file DEADJOE$
-ignore_file \.bak$
-ignore_file %$
-ignore_file \.dpkg-(tmp|new|old|dist)$
-ignore_file \.rpm(save|new)$
-ignore_file \.pod$
-
-port 4949
-
-host_name <%= @fqdn %>
-cidr_allow <%= @muninserver %>/32
-host <%= @ipaddress_eth0 %>
-');
-    '/usr/share/munin/plugins/vnstat_':
-      ensure => file,
-      mode   => '0755',
-      source => 'puppet:///modules/ff_gw/usr/share/munin/plugins/vnstat_';
-    '/etc/munin/plugins/vnstat_eth0_monthly_rxtx':
-      ensure => link,
-      target => '/usr/share/munin/plugins/vnstat_';
-    '/usr/share/munin/plugins/udp-statistics':
-      ensure => file,
-      mode   => '0755',
-      source => 'puppet:///modules/ff_gw/usr/share/munin/plugins/udp-statistics';
-    '/etc/munin/plugins/udp-statistics':
-      ensure => link,
-      target => '/usr/share/munin/plugins/udp-statistics';
-    '/etc/munin/plugins/if_mullvad':
-      ensure => link,
-      target => '/usr/share/munin/plugins/if_';
-    '/etc/munin/plugins/if_err_mullvad':
-      ensure => link,
-      target => '/usr/share/munin/plugins/if_err_';
-    '/etc/munin/plugins/if_bat0':
-      ensure => link,
-      target => '/usr/share/munin/plugins/if_';
-    '/etc/munin/plugins/if_err_bat0':
-      ensure => link,
-      target => '/usr/share/munin/plugins/if_err_';
-    '/etc/munin/plugins/if_br-ffhh':
-      ensure => link,
-      target => '/usr/share/munin/plugins/if_';
-    '/etc/munin/plugins/if_err_br-ffhh':
-      ensure => link,
-      target => '/usr/share/munin/plugins/if_err_';
-    '/etc/munin/plugins/if_ffhh-mesh-vpn':
-      ensure => link,
-      target => '/usr/share/munin/plugins/if_';
-    '/etc/munin/plugins/if_err_ffhh-mesh-vpn':
-      ensure => link,
-      target => '/usr/share/munin/plugins/if_err_';
-    # TODO: delete not needed plugins
-    '/etc/munin/plugin-conf.d/vnstat':
-      ensure  => file,
-      content => '[vnstat_eth0_monthly_rxtx]
-env.estimate 1';
-  }
-  ~>
-  service { 'munin-node':
-    ensure => running,
-    enable => true;
+  class { 'ff_gw::sysadmin::munin':
+    muninserver => $muninserver,
   }
 }
 
@@ -244,3 +106,48 @@ class ff_gw::sysadmin::hostname($newname, $newip) {
     refreshonly => true,
   }
 }
+
+# everything related to apt-repos and default tools
+class ff_gw::sysadmin::software() {
+  class { '::apt':
+    always_apt_update => true
+  }
+  # use backports repo
+  apt::source { 'wheezy-backports':
+    location => 'http://ftp.de.debian.org/debian/',
+    release  => 'wheezy-backports',
+    repos    => 'main',
+  }
+  # batman repo
+  apt::source { 'universe-factory':
+    location   => 'http://repo.universe-factory.net/debian/',
+    release    => 'sid',
+    repos      => 'main',
+    key        => '16EF3F64CB201D9C',
+    key_server => 'pool.sks-keyservers.net',
+  }
+  # bird repo // TODO: no PGP key
+  apt::source { 'bird-network':
+    location   => 'http://bird.network.cz/debian/',
+    release    => 'wheezy',
+    repos      => 'main',
+  }
+
+  # then install some basic packages
+  package {
+    ['vim-nox', 'git', 'etckeeper', 'pv', 'curl', 'atop',
+    'screen', 'tcpdump', 'rsync', 'file', 'psmisc', 'ntpdate']:
+      ensure => installed,
+  }
+  ->
+  # remove atop cronjob
+  file { '/etc/cron.d/atop':
+    ensure => absent,
+  }
+  ->
+  # stop atop daemon (cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506191)
+  service { 'atop':
+    ensure  => stopped,
+    enable  => false,
+  }
+}

manifests/sysadmin/munin.pp

@@ -0,0 +1,99 @@
+# munin config
+class ff_gw::sysadmin::munin($muninserver) {
+  package {
+    [ 'munin-node', 'vnstat', 'bc' ]:
+      ensure => installed,
+  }
+  ->
+  file {
+    '/etc/munin/munin-node.conf':
+      ensure  => file,
+      # mostly Debin pkg default
+      content => inline_template('# managed by puppet
+log_level 4
+log_file /var/log/munin/munin-node.log
+pid_file /var/run/munin/munin-node.pid
+
+background 1
+setsid 1
+
+user root
+group root
+
+# Regexps for files to ignore
+ignore_file [\#~]$
+ignore_file DEADJOE$
+ignore_file \.bak$
+ignore_file %$
+ignore_file \.dpkg-(tmp|new|old|dist)$
+ignore_file \.rpm(save|new)$
+ignore_file \.pod$
+
+port 4949
+
+host_name <%= @fqdn %>
+cidr_allow <%= @muninserver %>/32
+host <%= @ipaddress_eth0 %>
+');
+    '/usr/share/munin/plugins/vnstat_':
+      ensure => file,
+      mode   => '0755',
+      source => 'puppet:///modules/ff_gw/usr/share/munin/plugins/vnstat_';
+    '/etc/munin/plugins/vnstat_eth0_monthly_rxtx':
+      ensure => link,
+      target => '/usr/share/munin/plugins/vnstat_';
+    '/usr/share/munin/plugins/udp-statistics':
+      ensure => file,
+      mode   => '0755',
+      source => 'puppet:///modules/ff_gw/usr/share/munin/plugins/udp-statistics';
+    '/etc/munin/plugins/udp-statistics':
+      ensure => link,
+      target => '/usr/share/munin/plugins/udp-statistics';
+    '/usr/share/munin/plugins/dhcp-pool':
+      ensure => file,
+      mode   => '0755',
+      source => 'puppet:///modules/ff_gw/usr/share/munin/plugins/dhcp-pool';
+    '/etc/munin/plugins/dhcp-pool':
+      ensure => link,
+      target => '/usr/share/munin/plugins/dhcp-pool';
+    '/etc/munin/plugin-conf.d/dhcp-pool':
+      ensure  => file,
+      content => '[dhcp-pool]
+env.leasefile /var/lib/dhcp/dhcpd.leases
+env.conffile /etc/dhcp/dhcpd.conf';
+    '/etc/munin/plugins/if_mullvad':
+      ensure => link,
+      target => '/usr/share/munin/plugins/if_';
+    '/etc/munin/plugins/if_err_mullvad':
+      ensure => link,
+      target => '/usr/share/munin/plugins/if_err_';
+    '/etc/munin/plugins/if_bat0':
+      ensure => link,
+      target => '/usr/share/munin/plugins/if_';
+    '/etc/munin/plugins/if_err_bat0':
+      ensure => link,
+      target => '/usr/share/munin/plugins/if_err_';
+    '/etc/munin/plugins/if_br-ffhh':
+      ensure => link,
+      target => '/usr/share/munin/plugins/if_';
+    '/etc/munin/plugins/if_err_br-ffhh':
+      ensure => link,
+      target => '/usr/share/munin/plugins/if_err_';
+    '/etc/munin/plugins/if_ffhh-mesh-vpn':
+      ensure => link,
+      target => '/usr/share/munin/plugins/if_';
+    '/etc/munin/plugins/if_err_ffhh-mesh-vpn':
+      ensure => link,
+      target => '/usr/share/munin/plugins/if_err_';
+    # TODO: delete not needed plugins
+    '/etc/munin/plugin-conf.d/vnstat':
+      ensure  => file,
+      content => '[vnstat_eth0_monthly_rxtx]
+env.estimate 1';
+  }
+  ~>
+  service { 'munin-node':
+    ensure => running,
+    enable => true;
+  }
+}

manifests/sysadmin/zabbix.pp

@@ -0,0 +1,28 @@
+# zabbix agent config
+class ff_gw::sysadmin::zabbix($zabbixserver) {
+  apt::source { 'zabbix':
+    location   => 'http://repo.zabbix.com/zabbix/2.2/debian',
+    release    => 'wheezy',
+    repos      => 'main',
+    key        => '79EA5ED4',
+    key_server => 'pgpkeys.mit.edu',
+  }
+  ->
+  package { 'zabbix-agent':
+    ensure => latest;
+  }
+  ->
+  file { '/etc/zabbix/zabbix_agentd.d/argos_monitoring.conf':
+    ensure  => file,
+    content => "# managed by puppet
+Server=${zabbixserver}
+ServerActive=${zabbixserver}
+HostnameItem=${::hostname}
+";
+  }
+  ~>
+  service { 'zabbix-agent':
+    ensure => running,
+    enable => true,
+  }
+}

templates/etc/bird/bird.conf.erb

@@ -158,6 +158,17 @@ template bgp locals {
   next hop self;
 };
 
+### local gateways ###
+
+<% @peerings_v4.each_pair do |key, hash| -%><% if hash["ip"] != @own_ipv4 -%>
+protocol bgp <%= key %> from <%= hash["template"] %> {
+  neighbor <%= hash["ip"] %> as ownas;
+};
+<% end -%><% end -%>
+
+<% if @gw_do_ic_peering -%>
+### icvpn peerings ###
+
 # template for icvpn gateways of other cities
 template bgp peers {
   table ebgp;
@@ -168,20 +179,12 @@ template bgp peers {
   route limit 10000;
 };
 
-### local gateways ###
-
-<% @peerings_v4.each_pair do |key, hash| -%><% if hash["ip"] != @own_ipv4 -%>
-protocol bgp <%= key %> from <%= hash["template"] %> {
-  neighbor <%= hash["ip"] %> as ownas;
-};
-<% end -%><% end -%>
-
-### icvpn peerings ###
-
-<% if @gw_do_ic_peering -%>
 <% @ic_peerings_v4.each_pair do |key, hash| -%><% if hash["ip"] != @own_ipv4 -%>
 protocol bgp <%= key %> from <%= hash["template"] %> {
   neighbor <%= hash["ip"] %> as <%= hash["as"] %>;
 };
 <% end -%><% end -%>
 <% end -%>
+
+# this is for local peerings not managed by puppet
+include "*.peering";

templates/etc/bird/bird6.conf.erb

@@ -1,63 +1,163 @@
-# managed by puppet
-#
-# the ff ip of the gateway
+table ibgp;	# internal BGP peerings
+table ebgp;	# external (icvpn) BGP peerings
+table freifunk; # synced to kernel table 42 for routing from ff network
+table unreach;	# synced to kernel table 43 to intercept in cases there 
+		# is no default route via icvpn
+
+# quite self explanatory :)
+define ownas = <%= @ff_as %>;
+
+# the router id in bird is 32 bit wide and bird allows the IPv4 notation
+# to set it. quite confusing, but setting it to the gateway's IPv4 address
+# is a good approach here.
 router id <%= @own_ipv4 %>;
 
-# routing tables
-table ffhh;
+### functions ###
 
-# filter to check ulas
+# own networks as of http://wiki.freifunk.net/IPv6:Prefixe and
+# http://wiki.freifunk.net/IC-VPN
+# the '+' defines to not only match the prefix length given but
+# also any smaller prefixes (like 48 and 64)
+function is_self_net() {
+  return net ~ [ fd51:2bb2:fd0d::/48+,
+    2001:bf7:180::/44+,
+    2001:bf7:190::/44+,
+    2001:bf7:200::/44+,
+    2001:bf7:210::/44+,
+    2001:bf7:220::/44+,
+    2001:bf7:230::/44+];
+}
+
+# freifunk ip ranges in general
+# this is the public address space assigned to the
+# Foerderverein freie Netzwerke e.V.
+function is_freifunk() {
+  return net ~ [ 2001:bf7::/32+ ];
+}
+
+# unique local addresses
+# this is the non-public address range used within freifunk
+# communities and the IC-VPN
 function is_ula() {
-  return (net ~ [ fc00::/7{48,64} ]);
+  return net ~ [ fc00::/7{48,64} ];
 }
 
-function is_self() {
-  return (proto = "static_ffhh");
+# default route
+# be careful with importing default routes from arbitrary peers
+function is_default() {
+  return net ~ [ ::0/0 ];
 }
 
-filter ffhh_internal_export {
-  if (proto = "local_ffhh") then accept;
-  if (source != RTS_BGP) then reject;
-  if (is_ula() && proto != "static_ffhh") then accept;
-  else reject;
-}
+### kernel ###
 
-# don't use kernel's routes for bird, but export bird's routes to kernel
-protocol kernel {
-  scan time 20;  # Scan kernel routing table every 20 seconds
-  import none;  # Default is import all
+# synchronize from bird to main kernel routing table
+# nothing in the other direction
+# do not sync a default route we received to the main routing table
+# as this might collide with the normal default route of the host
+protocol kernel k_mast {
+  scan time 20;
+  import none;
+  export where !is_default();
+};
+
+# synchronize from birds freifunk table to kernel routing table 42
+# nothing in the other direction
+protocol kernel k_frei {
+  scan time 20;
+  table freifunk;
+  kernel table 42;
+  import none;
   export all;
-}
+};
 
-# This pseudo-protocol watches all interface up/down events.
+# syncronize from birds unreach table to kernel routing table 43
+# nothing in the other direction
+protocol kernel k_unreach {
+  scan time 20;
+  table unreach;
+  kernel table 43;
+  import none;
+  export all;
+};
+
+# this pseudo-protocol watches all interface up/down events
 protocol device {
-  scan time 10;  # Scan interfaces every 10 seconds
-}
-
-# define our routes
-protocol static static_ffhh {
-  table ffhh;
-  # reject route if announced from external
-  route fd51:2bb2:fd0d::/48 reject;
+    scan time 20;
 };
 
-protocol static local_ffhh {
-  table ffhh;
-  route fd51:2bb2:fd0d::/64 via "br-ffhh";
-};
+### pipes ###
 
-protocol pipe pipe_ffhh {
-  peer table ffhh;
-  import all;
+# sync nothing from main routing table to ebgp
+# sync routes (not own network) from ebgp to main routing table
+protocol pipe p_maintbl {
+  peer table ebgp;
+  import where !is_self_net();
   export none;
 };
 
-# template for internal routing
-template bgp locals {
-  table ffhh;
-  local as 65112;
-  source address <%= @own_ipv6 %>;
+# sync routes (not own network) from ebgp to ibgp
+# sync routes (all) from ibgp to ebgp
+protocol pipe p_ibgptbl {
+  table ebgp;
+  peer table ibgp;
   import all;
+  export where !is_self_net();
+};
+
+# sync routes (freifunk, ula and default routes we got) from ibgp to freifunk
+# sync nothing from freifunk to ibgp
+protocol pipe p_freitbl {
+  table ibgp;
+  peer table freifunk;
+  import none;
+  export where is_freifunk() || is_default() || is_ula();
+};
+
+### static routes ###
+
+# here you should define unreachable (=reject) routes for your own
+# prefixes from http://wiki.freifunk.net/IC-VPN and
+# http://wiki.freifunk.net/IPv6:Prefixe
+protocol static static_ffhh {  
+  route fd51:2bb2:fd0d::/48 reject;
+  route 2001:bf7:180::/44 reject;
+  route 2001:bf7:190::/44 reject;
+  route 2001:bf7:200::/44 reject;
+  route 2001:bf7:210::/44 reject;
+  route 2001:bf7:220::/44 reject;
+  route 2001:bf7:230::/44 reject;
+  table ebgp;
+};
+
+# these are the address ranges used in your network
+# note that these should be /64 networks in most cases from within
+# the above bigger ranges
+protocol static local_ffhh {
+  route fd51:2bb2:fd0d::/64 via "br-ffhh"; # replace br-ffhh with the name
+  route 2001:bf7:180::/64 via "br-ffhh";   # of your freifunk interface
+  table freifunk;
+};
+
+# this defines an unreachable default route so that pakets are not forwarded
+# via the main routing table if no default route exists within table 42
+# note that this requires an additional rule within your policy routing
+protocol static unreachable_default {
+  route ::/0 reject;
+  table unreach;
+};
+
+### templates ###
+
+# template for same city freifunk gateways
+# even the ones which do not have a direct IC-VPN connection
+template bgp locals {
+  table ibgp;
+  local as ownas;
+  source address <%= @own_ipv6 %>;
+  import filter {
+    preference = 99;
+    accept;
+  };
   export where source = RTS_BGP;
   direct;
   next hop self;
@@ -70,13 +170,22 @@ protocol bgp <%= key %> from <%= hash["template"] %> {
 <% end -%><% end -%>
 
 <% if @gw_do_ic_peering -%>
-# icvpn template for hamburg03
+# template for icvpn gateways of other cities
 template bgp peers {
-  local as 65112;
+  table ebgp;
+  local as ownas;
   source address <%= @ic_vpn_ip6 %>;
-  table ffhh;
-  import where is_ula();
-  export where is_self() || (source = RTS_BGP);
+  # ignore routes for our own network
+  import where (is_freifunk() || is_ula()) && !is_self_net();
+  export where (is_ula() || is_freifunk() || (source = RTS_BGP)) && !is_default();
+  route limit 10000;
+};
+
+# template for upstream gateways
+# that are allowed to announce a default route to us
+template bgp upstream from peers {
+  # accept freifunk networks and default route
+  import where (is_freifunk() || is_ula() || is_default()) && !is_self_net();
 };
 
 <% @ic_peerings_v6.each_pair do |key, hash| -%><% if hash["ip"] != @own_ipv6 -%>
@@ -85,3 +194,6 @@ protocol bgp <%= key %> from <%= hash["template"] %> {
 };
 <% end -%><% end -%>
 <% end -%>
+
+# this is for local peerings not managed by puppet
+include "*.peering6";

templates/etc/dhcp/dhcpd.conf.erb

@@ -19,6 +19,7 @@ subnet 10.112.0.0 netmask 255.255.192.0 {
     # DNS: this gateway (<%= @gw_ipv4 %>) & srv01 (10.112.1.1)
     option domain-name-servers <%= @gw_ipv4 %>, 10.112.1.1;
     option routers <%= @gw_ipv4 %>;
+    option ntp-servers 10.112.16.1, 10.112.22.1;
 }
 
 include "/etc/dhcp/static.conf";

templates/etc/fastd/ffhh-mesh-vpn/fastd.conf.erb

@@ -4,6 +4,7 @@ log to syslog level info;
 interface "ffhh-mesh-vpn";
 method "salsa2012+gmac"; # new method, between gateways for the moment (faster)
 method "xsalsa20-poly1305"; # old method
+secure handshakes no; # be compatible to old peers
 bind 0.0.0.0:10000;
 hide ip addresses yes;
 hide mac addresses yes;

templates/etc/radvd.conf.erb

@@ -7,6 +7,9 @@ interface br-ffhh
 
  prefix fd51:2bb2:fd0d::/64 {
  };
+ prefix 2001:bf7:180::/64 {
+ };
+
 
  RDNSS <%= @own_ipv6 %> {
  };

templates/etc/tinc/icvpn/tinc.conf.erb

@@ -15,22 +15,25 @@ ConnectTo = bremen2
 ConnectTo = chemnitz1
 ConnectTo = diac24_sbc
 ConnectTo = diac24_sbz
+ConnectTo = dreilaendereck1
 ConnectTo = dresden1
 ConnectTo = ffhallevpn1
+ConnectTo = flensburg1
 ConnectTo = franken1
 ConnectTo = franken2
 ConnectTo = franken3
 ConnectTo = franken_ro1
-ConnectTo = Frankfurt1
 ConnectTo = freiburg1
 ConnectTo = gronau1
 ConnectTo = gronau2
+ConnectTo = guetersloh1
+ConnectTo = guetersloh4
 ConnectTo = halle1
-ConnectTo = halle2
 ConnectTo = jena1
 ConnectTo = jena2
+ConnectTo = kiel0
 ConnectTo = kiel1
-ConnectTo = kiel13
+ConnectTo = kiel2
 ConnectTo = kiel3
 ConnectTo = kiel4
 ConnectTo = koeln1
@@ -39,10 +42,15 @@ ConnectTo = leipzig2
 ConnectTo = ljubljana1
 ConnectTo = luebeck1
 ConnectTo = luebeck2
+ConnectTo = magdeburg1
+ConnectTo = magdeburg2
 ConnectTo = mainz1
 ConnectTo = nrw2
 ConnectTo = oldenburg1
+ConnectTo = ostholstein1
+ConnectTo = rheinneckar1
+ConnectTo = ruhrgebiet1
 ConnectTo = weimar1
 ConnectTo = weimar2
-ConnectTo = wermelskirchen1
+ConnectTo = wiesbaden1