WAP: Update the config for OpenWRT 23.05.

This is a dump of the config from a new router (Linksys MR8300) running
a new version of OpenWRT (23.05).

Ansible/roles/wap/README.md

 # Wirelss Access Point
 
-Configure a wireless access point running OpenWRT 19.07.
+Configure a Linksys MR8300 running OpenWRT 23.05 as a wireless access point.

Ansible/roles/wap/templates/uci.conf.j2

@@ -11,24 +11,27 @@ config dnsmasq
 	option domain 'lan'
 	option expandhosts '1'
 	option nonegcache '0'
+	option cachesize '1000'
 	option authoritative '1'
 	option readethers '1'
 	option leasefile '/tmp/dhcp.leases'
-	option resolvfile '/tmp/resolv.conf.auto'
+	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
 	option nonwildcard '1'
 	option localservice '1'
+	option ednspacket_max '1232'
+	option filter_aaaa '0'
+	option filter_a '0'
 
 config dhcp 'lan'
 	option interface 'lan'
 	option start '100'
 	option limit '150'
 	option leasetime '12h'
+	option dhcpv4 'server'
 	option dhcpv6 'server'
 	option ra 'server'
-	option ra_management '1'
-
-config dhcp 'wan'
-	option interface 'wan'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
 	option ignore '1'
 
 config odhcpd 'odhcpd'
@@ -40,162 +43,33 @@ config odhcpd 'odhcpd'
 package dropbear
 
 config dropbear
-	option Port '22'
-	option RootPasswordAuth 'off'
 	option PasswordAuth 'off'
+	option RootPasswordAuth 'off'
+	option Port '22'
 
 package firewall
 
 config defaults
-	option syn_flood '1'
-	option output 'ACCEPT'
-	option forward 'REJECT'
 	option input 'REJECT'
-
-config zone
-	option name 'lan'
-	option input 'ACCEPT'
-	option output 'ACCEPT'
-	option forward 'ACCEPT'
-	option network 'lan'
-
-config include
-	option path '/etc/firewall.user'
-
-config rule
-	option dest_port '22'
-	option src '*'
-	option name 'ssh'
-	option target 'ACCEPT'
-	list proto 'tcp'
-
-package firewall-opkg
-
-config defaults
-	option syn_flood '1'
-	option input 'ACCEPT'
 	option output 'ACCEPT'
 	option forward 'REJECT'
+	option synflood_protect '1'
 
 config zone
 	option name 'lan'
-	list network 'lan'
-	option input 'ACCEPT'
-	option output 'ACCEPT'
-	option forward 'ACCEPT'
-
-config zone
-	option name 'wan'
-	list network 'wan'
-	list network 'wan6'
 	option input 'REJECT'
 	option output 'ACCEPT'
 	option forward 'REJECT'
-	option masq '1'
-	option mtu_fix '1'
-
-config forwarding
-	option src 'lan'
-	option dest 'wan'
-
-config rule
-	option name 'Allow-DHCP-Renew'
-	option src 'wan'
-	option proto 'udp'
-	option dest_port '68'
-	option target 'ACCEPT'
-	option family 'ipv4'
-
-config rule
-	option name 'Allow-Ping'
-	option src 'wan'
-	option proto 'icmp'
-	option icmp_type 'echo-request'
-	option family 'ipv4'
-	option target 'ACCEPT'
-
-config rule
-	option name 'Allow-IGMP'
-	option src 'wan'
-	option proto 'igmp'
-	option family 'ipv4'
-	option target 'ACCEPT'
-
-config rule
-	option name 'Allow-DHCPv6'
-	option src 'wan'
-	option proto 'udp'
-	option src_ip 'fc00::/6'
-	option dest_ip 'fc00::/6'
-	option dest_port '546'
-	option family 'ipv6'
-	option target 'ACCEPT'
-
-config rule
-	option name 'Allow-MLD'
-	option src 'wan'
-	option proto 'icmp'
-	option src_ip 'fe80::/10'
-	list icmp_type '130/0'
-	list icmp_type '131/0'
-	list icmp_type '132/0'
-	list icmp_type '143/0'
-	option family 'ipv6'
-	option target 'ACCEPT'
-
-config rule
-	option name 'Allow-ICMPv6-Input'
-	option src 'wan'
-	option proto 'icmp'
-	list icmp_type 'echo-request'
-	list icmp_type 'echo-reply'
-	list icmp_type 'destination-unreachable'
-	list icmp_type 'packet-too-big'
-	list icmp_type 'time-exceeded'
-	list icmp_type 'bad-header'
-	list icmp_type 'unknown-header-type'
-	list icmp_type 'router-solicitation'
-	list icmp_type 'neighbour-solicitation'
-	list icmp_type 'router-advertisement'
-	list icmp_type 'neighbour-advertisement'
-	option limit '1000/sec'
-	option family 'ipv6'
-	option target 'ACCEPT'
-
-config rule
-	option name 'Allow-ICMPv6-Forward'
-	option src 'wan'
-	option dest '*'
-	option proto 'icmp'
-	list icmp_type 'echo-request'
-	list icmp_type 'echo-reply'
-	list icmp_type 'destination-unreachable'
-	list icmp_type 'packet-too-big'
-	list icmp_type 'time-exceeded'
-	list icmp_type 'bad-header'
-	list icmp_type 'unknown-header-type'
-	option limit '1000/sec'
-	option family 'ipv6'
-	option target 'ACCEPT'
-
-config rule
-	option name 'Allow-IPSec-ESP'
-	option src 'wan'
-	option dest 'lan'
-	option proto 'esp'
-	option target 'ACCEPT'
+	list network 'lan'
 
 config rule
-	option name 'Allow-ISAKMP'
-	option src 'wan'
-	option dest 'lan'
-	option dest_port '500'
-	option proto 'udp'
+	option name 'ssh'
+	list proto 'tcp'
+	option src '*'
+	list dest_ip '192.168.3.13'
+	option dest_port '22'
 	option target 'ACCEPT'
 
-config include
-	option path '/etc/firewall.user'
-
 package luci
 
 config core 'main'
@@ -223,6 +97,9 @@ config internal 'ccache'
 	option enable '1'
 
 config internal 'themes'
+	option Bootstrap '/luci-static/bootstrap'
+	option BootstrapDark '/luci-static/bootstrap-dark'
+	option BootstrapLight '/luci-static/bootstrap-light'
 
 config internal 'apply'
 	option rollback '90'
@@ -238,43 +115,52 @@ config internal 'diag'
 package network
 
 config interface 'loopback'
-	option ifname 'lo'
+	option device 'lo'
 	option proto 'static'
 	option ipaddr '127.0.0.1'
 	option netmask '255.0.0.0'
 
 config globals 'globals'
-	option ula_prefix 'fd3a:a5ff:4867::/48'
+	option ula_prefix 'fdc9:d14b:495c::/48'
 
-config interface 'lan'
+config device
+	option name 'br-lan'
 	option type 'bridge'
-	option ifname 'eth0'
-	option proto 'dhcp'
+	list ports 'lan1'
+	list ports 'lan2'
+	list ports 'lan3'
+	list ports 'lan4'
+	list ports 'wan'
+	option macaddr 'C4:41:1E:AA:03:4A'
 
-config device 'lan_eth0_dev'
-	option name 'eth0'
-	option macaddr '60:38:e0:ae:19:4a'
+config device
+	option name 'lan1'
+	option macaddr 'C4:41:1E:AA:03:4A'
 
-config device 'wan_eth1_dev'
-	option name 'eth1'
-	option macaddr '60:38:e0:ae:19:49'
+config device
+	option name 'lan2'
+	option macaddr 'C4:41:1E:AA:03:4A'
 
-config switch
-	option name 'switch0'
-	option reset '1'
+config device
+	option name 'lan3'
+	option macaddr 'C4:41:1E:AA:03:4A'
 
-config switch_vlan
-	option device 'switch0'
-	option vlan '1'
-	option ports '0 1 2 3 4'
-	option vid '1'
+config device
+	option name 'lan4'
+	option macaddr 'C4:41:1E:AA:03:4A'
 
-package nut_server
+config interface 'lan'
+	option device 'br-lan'
+	option proto 'dhcp'
+
+config device
+	option name 'wan'
+	option macaddr 'C4:41:1E:AA:03:4A'
 
 package rpcd
 
 config rpcd
-	option socket '/var/run/ubus.sock'
+	option socket '/var/run/ubus/ubus.sock'
 	option timeout '30'
 
 config login
@@ -286,11 +172,12 @@ config login
 package system
 
 config system
+	option hostname 'mr8300.shore.co.il'
 	option ttylogin '0'
 	option log_size '64'
 	option urandom_seed '0'
+	option compat_version '2.0'
 	option zonename 'UTC'
-	option hostname 'ea6350.shore.co.il'
 	option log_proto 'udp'
 	option conloglevel '8'
 	option cronloglevel '5'
@@ -306,7 +193,7 @@ package ubootenv
 config ubootenv
 	option dev '/dev/mtd7'
 	option offset '0x0'
-	option envsize '0x20000'
+	option envsize '0x40000'
 	option secsize '0x20000'
 
 package ucitrack
@@ -314,7 +201,6 @@ package ucitrack
 config network
 	option init 'network'
 	list affects 'dhcp'
-	list affects 'radvd'
 
 config wireless
 	list affects 'network'
@@ -375,7 +261,7 @@ config uhttpd 'main'
 	list listen_http '[::]:80'
 	list listen_https '0.0.0.0:443'
 	list listen_https '[::]:443'
-	option redirect_https '1'
+	option redirect_https '0'
 	option home '/www'
 	option rfc1918_filter '1'
 	option max_requests '3'
@@ -388,10 +274,11 @@ config uhttpd 'main'
 	option network_timeout '30'
 	option http_keepalive '20'
 	option tcp_keepalive '1'
+	option ubus_prefix '/ubus'
 
 config cert 'defaults'
 	option days '730'
-	option key_type 'rsa'
+	option key_type 'ec'
 	option bits '2048'
 	option ec_curve 'P-256'
 	option country 'ZZ'
@@ -403,32 +290,48 @@ package wireless
 
 config wifi-device 'radio0'
 	option type 'mac80211'
-	option hwmode '11g'
-	option path 'platform/soc/a000000.wifi'
-	option country 'IL'
-	option htmode 'HT40'
-	option channel '6'
+	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
+	option channel 'auto'
+	option band '5g'
+	option htmode 'VHT80'
+	option cell_density '0'
 
 config wifi-iface 'default_radio0'
 	option device 'radio0'
 	option network 'lan'
 	option mode 'ap'
+	option ssid 'Shore Inc. (5ghz)'
+	option encryption 'sae-mixed'
 	option key '{{ wifi_password }}'
-	option encryption 'psk2'
-	option ssid 'Shore Inc. (2.4ghz)'
 
 config wifi-device 'radio1'
 	option type 'mac80211'
-	option channel '36'
-	option hwmode '11a'
-	option path 'platform/soc/a800000.wifi'
-	option htmode 'VHT80'
-	option country 'IL'
+	option path 'platform/soc/a000000.wifi'
+	option channel '11'
+	option band '2g'
+	option htmode 'HT20'
+	option cell_density '0'
 
 config wifi-iface 'default_radio1'
 	option device 'radio1'
 	option network 'lan'
 	option mode 'ap'
+	option ssid 'Shore Inc. (2.4ghz)'
+	option encryption 'sae-mixed'
 	option key '{{ wifi_password }}'
-	option encryption 'psk2'
+
+config wifi-device 'radio2'
+	option type 'mac80211'
+	option path 'platform/soc/a800000.wifi'
+	option channel '60'
+	option band '5g'
+	option htmode 'VHT80'
+	option cell_density '0'
+
+config wifi-iface 'default_radio2'
+	option device 'radio2'
+	option network 'lan'
+	option mode 'ap'
 	option ssid 'Shore Inc. (5ghz)'
+	option encryption 'sae-mixed'
+	option key '{{ wifi_password }}'