default_vars.yml: Reorder gateway/iptables for clarity, PR #2947

vars/default_vars.yml

@@ -120,7 +120,11 @@ wifi_hotspot_capacity_rpi_fix: True    # Restores the ability of RPi internal
 # https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472.
 wifi_up_down: True    # Creates a 2nd virtual WiFi adapter for upstream WiFi
 # (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot).
-# You can set iiab_gateway_enabled below, to enable "passthrough" to Internet.
+
+# Set True if client machines should have "passthrough" access to WAN/Internet:
+iiab_gateway_enabled: False
+gw_squid_whitelist: False
+gw_block_https: False
 
 # Gateway mode
 iiab_lan_enabled: True
@@ -130,6 +134,24 @@ gui_wan: True
 adm_cons_force_ssl: False
 adm_cons_allow_downloads: False
 
+# Intended for developers: ONLY CHANGE THESE IF YOU KNOW WHAT YOU ARE DOING
+# The following 2 override the detection when not "auto"
+user_wan_iface: auto
+user_lan_iface: auto
+
+# See "How do I set a static IP address?" for Ethernet, in http://FAQ.IIAB.IO
+wan_ip: dhcp       # wan_ip: 192.168.1.99
+wan_netmask:       # wan_netmask: 255.255.255.0
+wan_gateway:       # wan_gateway: 192.168.1.254
+# If nec wan_nameserver can override ISP-provided DNS servers via dnsmasq:
+# /etc/resolv.conf dictates which backend is used for the machine itself, so
+# 127.0.0.1 means you get dnsmasq (so it works right away on RaspiOS) while
+# 127.0.0.53 gives you systemd-networkd (so Ubuntu itself does NOT use this
+# dnsmasq-specified upstream DNS [e.g. wan_nameserver] but its LAN clients do!)
+wan_nameserver:    # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1
+wan_try_dhcp_before_static_ip: True   # Facilitate field updates w/ cablemodems
+# Details @ roles/network/templates/network/dhcpcd.conf.j2 for /etc/dhcpcd.conf
+
 # Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite
 # (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server.
 # Only 1 of the 6 lines below should be uncommented:
@@ -145,10 +167,9 @@ ports_externally_visible: 3     # ssh + http-or-https + common IIAB services
 # /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
 # And then run: cd /opt/iiab/iiab; ./iiab-network
 
-# Set True if client machines should have "passthrough" access to WAN/Internet:
-iiab_gateway_enabled: False
-gw_squid_whitelist: False
-gw_block_https: False
+# dnsmasq - handles DHCP and DNS
+dnsmasq_install: True
+dnsmasq_enabled: True
 
 # UNMAINTAINED as of July 2021
 dhcpd_install: False
@@ -160,10 +181,6 @@ named_install: False
 named_enabled: False
 block_DNS: False
 
-# dnsmasq - handles DHCP and DNS
-dnsmasq_install: True
-dnsmasq_enabled: True
-
 # Enable in local_vars.yml AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
 
@@ -176,25 +193,6 @@ bluetooth_term_enabled: False
 wondershaper_install: False
 wondershaper_enabled: False
 
-# Intended for developers: ONLY CHANGE THESE IF YOU KNOW WHAT YOU ARE DOING
-# The following 2 override the detection when not "auto"
-user_wan_iface: auto
-user_lan_iface: auto
-
-# See "How do I set a static IP address?" for Ethernet, in http://FAQ.IIAB.IO
-# Ethernet - IF NECESSARY, CUSTOMIZE THESE 4+1 VARS IN /etc/iiab/local_vars.yml
-wan_ip: dhcp       # wan_ip: 192.168.1.99
-wan_netmask:       # wan_netmask: 255.255.255.0
-wan_gateway:       # wan_gateway: 192.168.1.254
-# If nec wan_nameserver can override ISP-provided DNS servers via dnsmasq:
-# /etc/resolv.conf dictates which backend is used for the machine itself, so
-# 127.0.0.1 means you get dnsmasq (so it works right away on RaspiOS) while
-# 127.0.0.53 gives you systemd-networkd (so Ubuntu itself does NOT use this
-# dnsmasq-specified upstream DNS [e.g. wan_nameserver] but its LAN clients do!)
-wan_nameserver:    # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1
-wan_try_dhcp_before_static_ip: True   # Facilitate field updates w/ cablemodems
-# Details @ roles/network/templates/network/dhcpcd.conf.j2 for /etc/dhcpcd.conf
-
 
 # 1-PREP