summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/vidhar/network/default.nix67
-rw-r--r--hosts/vidhar/network/dsl.nix15
-rw-r--r--hosts/vidhar/network/ruleset.nft30
3 files changed, 79 insertions, 33 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 81dac652..e3d7dd14 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -21,7 +21,7 @@
21 { address = "10.141.1.1"; prefixLength = 24; } 21 { address = "10.141.1.1"; prefixLength = 24; }
22 ]; 22 ];
23 }; 23 };
24 interfaces."dmz01" = { 24 interfaces."wifibh" = {
25 ipv4.addresses = [ 25 ipv4.addresses = [
26 { address = "10.141.2.1"; prefixLength = 24; } 26 { address = "10.141.2.1"; prefixLength = 24; }
27 ]; 27 ];
@@ -32,11 +32,11 @@
32 id = 2; 32 id = 2;
33 interface = "eno2"; 33 interface = "eno2";
34 }; 34 };
35 lan = { 35 "eno2.lan" = {
36 id = 3; 36 id = 3;
37 interface = "eno2"; 37 interface = "eno2";
38 }; 38 };
39 dmz01 = { 39 wifibh = {
40 id = 4; 40 id = 4;
41 interface = "eno2"; 41 interface = "eno2";
42 }; 42 };
@@ -70,13 +70,6 @@
70 option domain-name-servers 10.141.1.1; 70 option domain-name-servers 10.141.1.1;
71 option broadcast-address 10.141.1.255; 71 option broadcast-address 10.141.1.255;
72 } 72 }
73
74 subnet 10.141.2.0 netmask 255.255.255.0 {
75 range 10.141.2.128 10.141.2.254;
76 option domain-name-servers 10.141.2.1;
77 option broadcast-address 10.141.2.255;
78 option routers 10.141.2.1;
79 }
80 ''; 73 '';
81 machines = [ 74 machines = [
82 { 75 {
@@ -96,10 +89,56 @@
96 } 89 }
97 ]; 90 ];
98 }; 91 };
99 systemd.network.networks = { 92 systemd.network = {
100 "eno2" = { 93 netdevs = {
101 matchConfig.Name = "eno2"; 94 "wifibh01" = {
102 networkConfig.LinkLocalAddressing = "no"; 95 netdevConfig = {
96 Name = "wifibh01";
97 Kind = "gretap";
98 };
99 tunnelConfig = {
100 Local = "10.141.2.1";
101 Remote = "10.141.2.2";
102 };
103 };
104 "wifibh01.lan" = {
105 netdevConfig = {
106 Name = "wifibh01.lan";
107 Kind = "vlan";
108 };
109 vlanConfig = {
110 VLAN = "2";
111 };
112 };
113 lan = {
114 netdevConfig = {
115 Name = "lan";
116 Kind = "bridge";
117 };
118 };
119 };
120
121 networks = {
122 "eno2" = {
123 matchConfig.Name = "eno2";
124 networkConfig.LinkLocalAddressing = "no";
125 };
126 "wifibh01.lan" = {
127 matchConfig.Name = "wifibh01.lan";
128 networkConfig.Bridge = "lan";
129 bridgeConfig = {
130 HairPin = true;
131 Cost = "10";
132 };
133 };
134 "40-eno2.lan" = {
135 matchConfig.Name = "eno2.lan";
136 networkConfig.Bridge = "lan";
137 bridgeConfig = {
138 HairPin = false;
139 Cost = "1";
140 };
141 };
103 }; 142 };
104 }; 143 };
105 }; 144 };
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix
index ae2caec2..9c9a57b8 100644
--- a/hosts/vidhar/network/dsl.nix
+++ b/hosts/vidhar/network/dsl.nix
@@ -95,13 +95,6 @@ in {
95 rdnss = [{ servers = ["::"]; }]; 95 rdnss = [{ servers = ["::"]; }];
96 dnssl = [{ domain_names = ["yggdrasil"]; }]; 96 dnssl = [{ domain_names = ["yggdrasil"]; }];
97 } 97 }
98 { name = "dmz01";
99 advertise = true;
100 verbose = true;
101 prefix = [{ prefix = "::/64"; }];
102 route = [{ prefix = "::/0"; }];
103 rdnss = [{ servers = ["::"]; }];
104 }
105 ]; 98 ];
106 99
107 debug = { 100 debug = {
@@ -121,11 +114,6 @@ in {
121 interface = "lan"; 114 interface = "lan";
122 network = "::/0"; 115 network = "::/0";
123 }; 116 };
124 dmz01 = {
125 method = "iface";
126 interface = "dmz01";
127 network = "::/0";
128 };
129 }; 117 };
130 }; 118 };
131 }; 119 };
@@ -168,7 +156,7 @@ in {
168 ''; 156 '';
169 157
170 postStop = '' 158 postStop = ''
171 for dev in lan dmz01; do 159 for dev in lan; do
172 ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" 160 ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
173 done 161 done
174 ''; 162 '';
@@ -193,7 +181,6 @@ in {
193 iaid 1195061668 181 iaid 1195061668
194 ipv6rs # enable routing solicitation for WAN adapter 182 ipv6rs # enable routing solicitation for WAN adapter
195 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN 183 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
196 ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01
197 184
198 reboot 0 185 reboot 0
199 186
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index fb04e449..c4c2fbe6 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -80,6 +80,7 @@ table inet filter {
80 counter dns-rx {} 80 counter dns-rx {}
81 counter wg-rx {} 81 counter wg-rx {}
82 counter yggdrasil-gre-rx {} 82 counter yggdrasil-gre-rx {}
83 counter wifibh-gre-rx {}
83 counter ipv6-pd-rx {} 84 counter ipv6-pd-rx {}
84 counter ntp-rx {} 85 counter ntp-rx {}
85 counter dhcp-rx {} 86 counter dhcp-rx {}
@@ -106,6 +107,7 @@ table inet filter {
106 counter dns-tx {} 107 counter dns-tx {}
107 counter wg-tx {} 108 counter wg-tx {}
108 counter yggdrasil-gre-tx {} 109 counter yggdrasil-gre-tx {}
110 counter wifibh-gre-tx {}
109 counter ipv6-pd-tx {} 111 counter ipv6-pd-tx {}
110 counter ntp-tx {} 112 counter ntp-tx {}
111 counter dhcp-tx {} 113 counter dhcp-tx {}
@@ -136,8 +138,7 @@ table inet filter {
136 oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept 138 oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
137 139
138 iifname lan oifname dsl counter name fw-lan accept 140 iifname lan oifname dsl counter name fw-lan accept
139 iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept 141 iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept
140
141 142
142 143
143 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop 144 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -165,18 +166,19 @@ table inet filter {
165 iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept 166 iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept
166 iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept 167 iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept
167 168
168 iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept 169 iifname { lan, mgmt } tcp dport 53 counter name dns-rx accept
169 iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept 170 iifname { lan, mgmt } udp dport 53 counter name dns-rx accept
170 171
171 iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept 172 iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
172 iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept 173 iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
173 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept 174 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
175 iifname wifibh meta l4proto gre counter name wifibh-gre-rx accept
174 176
175 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept 177 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
176 178
177 iifname mgmt udp dport 123 counter name ntp-rx accept 179 iifname mgmt udp dport 123 counter name ntp-rx accept
178 180
179 iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept 181 iifname { lan, mgmt } udp dport 67 counter name dhcp-rx accept
180 182
181 iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept 183 iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept
182 iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept 184 iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
@@ -215,6 +217,7 @@ table inet filter {
215 meta protocol ip udp sport 51820 counter name wg-tx 217 meta protocol ip udp sport 51820 counter name wg-tx
216 meta protocol ip6 udp sport 51821 counter name wg-tx 218 meta protocol ip6 udp sport 51821 counter name wg-tx
217 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx 219 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
220 iifname wifibh meta l4proto gre counter name wifibh-gre-tx
218 221
219 meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx 222 meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx
220 223
@@ -235,6 +238,23 @@ table inet filter {
235 } 238 }
236} 239}
237 240
241table bridge filter {
242 counter br-invalid-fw {}
243 counter br-wifibh-fw {}
244 counter br-lan-fw {}
245
246 chain forward {
247 type filter hook forward priority filter
248 policy drop
249
250
251 ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
252
253 iifname "wifibh01.lan" counter name wifibh-fw accept
254 iifname "eno2.lan" counter name lan-fw accept
255 }
256}
257
238table ip nat { 258table ip nat {
239 counter dsl-nat {} 259 counter dsl-nat {}
240 260