summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--hosts/vidhar/network/default.nix18
-rw-r--r--hosts/vidhar/network/dsl.nix27
-rw-r--r--hosts/vidhar/network/ruleset.nft14
3 files changed, 47 insertions, 12 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 62539239..81dac652 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -21,6 +21,11 @@
21 { address = "10.141.1.1"; prefixLength = 24; } 21 { address = "10.141.1.1"; prefixLength = 24; }
22 ]; 22 ];
23 }; 23 };
24 interfaces."dmz01" = {
25 ipv4.addresses = [
26 { address = "10.141.2.1"; prefixLength = 24; }
27 ];
28 };
24 29
25 vlans = { 30 vlans = {
26 mgmt = { 31 mgmt = {
@@ -31,6 +36,10 @@
31 id = 3; 36 id = 3;
32 interface = "eno2"; 37 interface = "eno2";
33 }; 38 };
39 dmz01 = {
40 id = 4;
41 interface = "eno2";
42 };
34 }; 43 };
35 44
36 firewall.enable = false; 45 firewall.enable = false;
@@ -58,6 +67,15 @@
58 67
59 subnet 10.141.1.0 netmask 255.255.255.0 { 68 subnet 10.141.1.0 netmask 255.255.255.0 {
60 range 10.141.1.128 10.141.1.254; 69 range 10.141.1.128 10.141.1.254;
70 option domain-name-servers 10.141.1.1;
71 option broadcast-address 10.141.1.255;
72 }
73
74 subnet 10.141.2.0 netmask 255.255.255.0 {
75 range 10.141.2.128 10.141.2.254;
76 option domain-name-servers 10.141.2.1;
77 option broadcast-address 10.141.2.255;
78 option routers 10.141.2.1;
61 } 79 }
62 ''; 80 '';
63 machines = [ 81 machines = [
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix
index 21554b58..0ad598e6 100644
--- a/hosts/vidhar/network/dsl.nix
+++ b/hosts/vidhar/network/dsl.nix
@@ -95,6 +95,13 @@ in {
95 rdnss = [{ servers = ["::"]; }]; 95 rdnss = [{ servers = ["::"]; }];
96 dnssl = [{ domain_names = ["yggdrasil"]; }]; 96 dnssl = [{ domain_names = ["yggdrasil"]; }];
97 } 97 }
98 { name = "dmz01";
99 advertise = true;
100 verbose = true;
101 prefix = [{ prefix = "::/64"; }];
102 route = [{ prefix = "::/0"; }];
103 rdnss = [{ servers = ["::"]; }];
104 }
98 ]; 105 ];
99 106
100 debug = { 107 debug = {
@@ -108,10 +115,17 @@ in {
108 proxies = { 115 proxies = {
109 ${pppInterface} = { 116 ${pppInterface} = {
110 router = true; 117 router = true;
111 rules.lan = { 118 rules = {
112 method = "iface"; 119 lan = {
113 interface = "lan"; 120 method = "iface";
114 network = "::/0"; 121 interface = "lan";
122 network = "::/0";
123 };
124 dmz01 = {
125 method = "iface";
126 interface = "dmz01";
127 network = "::/0";
128 };
115 }; 129 };
116 }; 130 };
117 }; 131 };
@@ -154,7 +168,9 @@ in {
154 ''; 168 '';
155 169
156 postStop = '' 170 postStop = ''
157 ${pkgs.iproute2}/bin/ip -6 a show dev lan scope global | ${pkgs.coreutils}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev lan 171 for dev in lan dmz01; do
172 ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.coreutils}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
173 done
158 ''; 174 '';
159 175
160 serviceConfig = let 176 serviceConfig = let
@@ -177,6 +193,7 @@ in {
177 iaid 1195061668 193 iaid 1195061668
178 ipv6rs # enable routing solicitation for WAN adapter 194 ipv6rs # enable routing solicitation for WAN adapter
179 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN 195 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
196 ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01
180 197
181 reboot 0 198 reboot 0
182 199
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 4d829355..f6a2175c 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -136,7 +136,7 @@ table inet filter {
136 oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept 136 oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
137 137
138 iifname lan oifname dsl counter name fw-lan accept 138 iifname lan oifname dsl counter name fw-lan accept
139 iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept 139 iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
140 140
141 141
142 142
@@ -162,14 +162,14 @@ table inet filter {
162 iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop 162 iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
163 meta l4proto $icmp_protos counter name icmp-rx accept 163 meta l4proto $icmp_protos counter name icmp-rx accept
164 164
165 tcp dport 22 counter name ssh-rx accept 165 iifname { lan, mgmt, dsl } tcp dport 22 counter name ssh-rx accept
166 udp dport 60001-61000 counter name mosh-rx accept 166 iifname { lan, mgmt, dsl } udp dport 60001-61000 counter name mosh-rx accept
167 167
168 iifname lan tcp dport 53 counter name dns-rx accept 168 iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept
169 iifname lan udp dport 53 counter name dns-rx accept 169 iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept
170 170
171 meta protocol ip udp dport 51820 counter name wg-rx accept 171 iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
172 meta protocol ip6 udp dport 51821 counter name wg-rx accept 172 iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
173 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept 173 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
174 174
175 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept 175 iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-25 14:00:35 +0000