summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/network')
-rw-r--r--hosts/vidhar/network/default.nix49
-rw-r--r--hosts/vidhar/network/dhcp/default.nix133
-rw-r--r--hosts/vidhar/network/gpon.nix271
-rw-r--r--hosts/vidhar/network/pap-secrets26
-rw-r--r--hosts/vidhar/network/pppoe/default.nix155
-rw-r--r--hosts/vidhar/network/pppoe/no-double-timeout.patch13
-rw-r--r--hosts/vidhar/network/pppoe/o2-password18
-rw-r--r--hosts/vidhar/network/ruleset.nft95
8 files changed, 346 insertions, 414 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 0643f0bb..3b48a7fc 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,9 +1,9 @@
1{ pkgs, lib, ... }: 1{ pkgs, lib, config, ... }:
2 2
3with lib; 3with lib;
4 4
5{ 5{
6 imports = [ ./gpon.nix ./bifrost ./dhcp ]; 6 imports = [ ./pppoe ./bifrost ./dhcp ];
7 7
8 config = { 8 config = {
9 networking = { 9 networking = {
@@ -61,7 +61,9 @@ with lib;
61 firewall.enable = false; 61 firewall.enable = false;
62 nftables = { 62 nftables = {
63 enable = true; 63 enable = true;
64 rulesetFile = ./ruleset.nft; 64 rulesetFile = pkgs.replaceVars ./ruleset.nft {
65 inherit (config.networking) pppInterface;
66 };
65 }; 67 };
66 68
67 resolvconf = { 69 resolvconf = {
@@ -76,16 +78,29 @@ with lib;
76 78
77 environment.etc."dnssec-trust-anchors.d/root.positive".source = "${pkgs.dns-root-data}/root.ds"; 79 environment.etc."dnssec-trust-anchors.d/root.positive".source = "${pkgs.dns-root-data}/root.ds";
78 80
79 systemd.network.networks = { 81 systemd.network = {
80 "eno1" = { 82 networks = {
81 matchConfig.Name = "eno1"; 83 "eno1" = {
82 linkConfig = { 84 matchConfig.Name = "eno1";
83 ActivationPolicy = "down"; 85 linkConfig = {
86 ActivationPolicy = "down";
87 };
88 };
89 "eno2" = {
90 matchConfig.Name = "eno2";
91 networkConfig.LinkLocalAddressing = "no";
92 };
93 "40-lan" = {
94 matchConfig.Name = "lan";
95 networkConfig = {
96 IPv6SendRA = true;
97 DHCPPrefixDelegation = true;
98 };
99 ipv6SendRAConfig = {
100 DNS = "_link_local";
101 Domains = ["lan.yggdrasil" "yggdrasil"];
102 };
84 }; 103 };
85 };
86 "eno2" = {
87 matchConfig.Name = "eno2";
88 networkConfig.LinkLocalAddressing = "no";
89 }; 104 };
90 }; 105 };
91 106
@@ -103,13 +118,21 @@ with lib;
103 /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash) 118 /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
104 ''; 119 '';
105 }; 120 };
106 settings.nfsd.vers3 = false; 121 settings.nfsd = {
122 rdma = true;
123 vers3 = false;
124 vers4 = true;
125 "vers4.0" = false;
126 "vers4.1" = false;
127 "vers4.2" = true;
128 };
107 }; 129 };
108 130
109 fileSystems = { 131 fileSystems = {
110 "/srv/nfs/nix-store" = { 132 "/srv/nfs/nix-store" = {
111 device = "/nix/store"; 133 device = "/nix/store";
112 options = [ "bind" ]; 134 options = [ "bind" ];
135 fsType = "none";
113 }; 136 };
114 }; 137 };
115 }; 138 };
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index f36d0c7f..557794e0 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -5,6 +5,7 @@ with lib;
5let 5let
6 nfsrootBaseUrl = "http://nfsroot.vidhar.yggdrasil"; 6 nfsrootBaseUrl = "http://nfsroot.vidhar.yggdrasil";
7 tftpIp = "10.141.0.1"; 7 tftpIp = "10.141.0.1";
8 nfsIp = tftpIp;
8 ipxe = pkgs.ipxe.override { 9 ipxe = pkgs.ipxe.override {
9 additionalTargets = { 10 additionalTargets = {
10 "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi"; 11 "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
@@ -47,12 +48,12 @@ in {
47 }; 48 };
48 49
49 client-classes = [ 50 client-classes = [
50 { name = "ipxe-eostre"; 51 # { name = "ipxe-eostre";
51 test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE-yggdrasil'"; 52 # test = "hexstring(pkt4.mac, ':') == '00:d8:61:79:c5:40' and option[77].hex == 'iPXE-yggdrasil'";
52 next-server = tftpIp; 53 # next-server = tftpIp;
53 boot-file-name = "${nfsrootBaseUrl}/eostre.menu.ipxe"; 54 # boot-file-name = "${nfsrootBaseUrl}/eostre.menu.ipxe";
54 only-if-required = true; 55 # only-if-required = true;
55 } 56 # }
56 { name = "ipxe-yggdrasil"; 57 { name = "ipxe-yggdrasil";
57 test = "option[77].hex == 'iPXE-yggdrasil'"; 58 test = "option[77].hex == 'iPXE-yggdrasil'";
58 next-server = tftpIp; 59 next-server = tftpIp;
@@ -305,32 +306,30 @@ in {
305 pkgs.symlinkJoin { 306 pkgs.symlinkJoin {
306 name = "installer-${system}"; 307 name = "installer-${system}";
307 paths = [ 308 paths = [
308 (let 309 (builtins.addErrorContext "while evaluating installer-${system}-nfsroot" (let
309 installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules { 310 installerBuild' = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
310 modules = [ 311 modules = [
311 ({ ... }: { 312 ({ ... }: {
312 config.nfsroot.storeDevice = "${tftpIp}:nix-store"; 313 config.nfsroot.storeDevice = "${nfsIp}:nix-store";
313 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration"; 314 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/installer-${system}/registration";
315 config.system.nixos.label = "installer-${system}";
314 }) 316 })
315 ]; 317 ];
316 }).config.system.build; 318 });
317 in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} '' 319 installerBuild = installerBuild'.config.system.build;
320 in builtins.toPath (pkgs.runCommandLocal "installer-${system}" {} ''
318 mkdir -p $out/installer-${system} 321 mkdir -p $out/installer-${system}
319 install -m 0444 -t $out/installer-${system} \ 322 install -m 0444 -t $out/installer-${system} \
320 ${installerBuild.initialRamdisk}/initrd \ 323 ${installerBuild.initialRamdisk}/initrd \
321 ${installerBuild.kernel}/bzImage \ 324 ${installerBuild.kernel}/bzImage \
322 ${installerBuild.netbootIpxeScript}/netboot.ipxe \ 325 ${installerBuild.netbootIpxeScript}/netboot.ipxe \
323 ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration 326 ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
324 '')) 327 install -m 0444 ${pkgs.writeText "installer-${system}.menu.ipxe" ''
325 (pkgs.writeTextFile {
326 name = "installer-${system}.menu.ipxe";
327 destination = "/installer-${system}.menu.ipxe";
328 text = ''
329 #!ipxe 328 #!ipxe
330 329
331 :start 330 :start
332 menu iPXE boot menu for installer-${system} 331 menu iPXE boot menu for installer-${system}
333 item installer installer-${system} 332 item installer ${with installerBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
334 item memtest memtest86plus 333 item memtest memtest86plus
335 item netboot netboot.xyz 334 item netboot netboot.xyz
336 item shell iPXE shell 335 item shell iPXE shell
@@ -350,10 +349,10 @@ in {
350 goto start 349 goto start
351 350
352 :memtest 351 :memtest
353 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin 352 chain --autofree mt86plus.efi
354 goto start 353 goto start
355 ''; 354 ''} $out/installer-${system}.menu.ipxe
356 }) 355 '')))
357 ]; 356 ];
358 }) ["x86_64-linux"] 357 }) ["x86_64-linux"]
359 ) ++ [ 358 ) ++ [
@@ -361,63 +360,61 @@ in {
361 mkdir $out 360 mkdir $out
362 install -m 0444 -t $out \ 361 install -m 0444 -t $out \
363 ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn} \ 362 ${ipxe}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn} \
364 ${pkgs.memtest86plus}/{memtest.efi,memtest.bin} 363 ${pkgs.memtest86plus}/mt86plus.efi
365 install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi 364 install -m 0444 ${sources.netbootxyz-efi.src} $out/netboot.xyz.efi
366 install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn 365 install -m 0444 ${sources.netbootxyz-lkrn.src} $out/netboot.xyz.lkrn
367 '') 366 '')
368 (let 367 # (builtins.addErrorContext "while evaluating eostre" (let
369 eostreBuild = (flake.nixosConfigurations.eostre.extendModules { 368 # eostreBuild' = (flake.nixosConfigurations.eostre.extendModules {
370 modules = [ 369 # modules = [
371 ({ ... }: { 370 # ({ ... }: {
372 config.nfsroot.storeDevice = "${tftpIp}:nix-store"; 371 # config.nfsroot.storeDevice = "${nfsIp}:nix-store";
373 config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration"; 372 # config.nfsroot.registrationUrl = "${nfsrootBaseUrl}/eostre/registration";
374 }) 373 # config.system.nixos.label = "eostre";
375 ]; 374 # })
376 }).config.system.build; 375 # ];
377 in builtins.toPath (pkgs.runCommandLocal "eostre" {} '' 376 # });
378 mkdir -p $out/eostre 377 # eostreBuild = eostreBuild'.config.system.build;
379 install -m 0444 -t $out/eostre \ 378 # in builtins.toPath (pkgs.runCommandLocal "eostre" {} ''
380 ${eostreBuild.initialRamdisk}/initrd \ 379 # mkdir -p $out/eostre
381 ${eostreBuild.kernel}/bzImage \ 380 # install -m 0444 -t $out/eostre \
382 ${eostreBuild.netbootIpxeScript}/netboot.ipxe \ 381 # ${eostreBuild.initialRamdisk}/initrd \
383 ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration 382 # ${eostreBuild.kernel}/bzImage \
384 '')) 383 # ${eostreBuild.netbootIpxeScript}/netboot.ipxe \
385 (pkgs.writeTextFile { 384 # ${pkgs.closureInfo { rootPaths = eostreBuild.storeContents; }}/registration
386 name = "eostre.menu.ipxe"; 385 # install -m 0444 ${pkgs.writeText "eostre.menu.ipxe" ''
387 destination = "/eostre.menu.ipxe"; 386 # #!ipxe
388 text = ''
389 #!ipxe
390 387
391 set menu-timeout 5000 388 # set menu-timeout 5000
392 389
393 :start 390 # :start
394 menu iPXE boot menu for eostre 391 # menu iPXE boot menu for eostre
395 item eostre eostre 392 # item eostre ${with eostreBuild'; "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})"}
396 item memtest memtest86plus 393 # item memtest memtest86plus
397 item netboot netboot.xyz 394 # item netboot netboot.xyz
398 item shell iPXE shell 395 # item shell iPXE shell
399 choose --timeout ''${menu-timeout} --default eostre selected || goto shell 396 # choose --timeout ''${menu-timeout} --default eostre selected || goto shell
400 set menu-timeout 0 397 # set menu-timeout 0
401 goto ''${selected} 398 # goto ''${selected}
402 399
403 :shell 400 # :shell
404 set menu-timeout 0 401 # set menu-timeout 0
405 shell 402 # shell
406 goto start 403 # goto start
407 404
408 :eostre 405 # :eostre
409 chain eostre/netboot.ipxe 406 # chain eostre/netboot.ipxe
410 goto start 407 # goto start
411 408
412 :netboot 409 # :netboot
413 iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn 410 # iseq ''${platform} efi && chain --autofree netboot.xyz.efi || chain --autofree netboot.xyz.lkrn
414 goto start 411 # goto start
415 412
416 :memtest 413 # :memtest
417 iseq ''${platform} efi && chain --autofree memtest.efi || chain --autofree memtest.bin 414 # chain --autofree mt86plus.efi
418 goto start 415 # goto start
419 ''; 416 # ''} $out/eostre.menu.ipxe
420 }) 417 # '')))
421 ]; 418 ];
422 }; 419 };
423 }; 420 };
diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/gpon.nix
deleted file mode 100644
index 1628159c..00000000
--- a/hosts/vidhar/network/gpon.nix
+++ /dev/null
@@ -1,271 +0,0 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 pppInterface = config.networking.pppInterface;
7in {
8 options = {
9 networking.pppInterface = mkOption {
10 type = types.str;
11 default = "gpon";
12 };
13 };
14
15 config = {
16 networking.vlans = {
17 telekom = {
18 id = 7;
19 interface = "eno2";
20 };
21 };
22
23 services.pppd = {
24 enable = true;
25 peers.telekom.config = ''
26 nodefaultroute
27 ifname ${pppInterface}
28 lcp-echo-adaptive
29 lcp-echo-failure 5
30 lcp-echo-interval 1
31 maxfail 0
32 mtu 1492
33 mru 1492
34 plugin pppoe.so
35 name telekom
36 user 002576900250551137425220#0001@t-online.de
37 nic-telekom
38 debug
39 +ipv6
40 '';
41 };
42 systemd.services."pppd-telekom" = {
43 stopIfChanged = true;
44
45 serviceConfig = {
46 PIDFile = "/run/pppd/${pppInterface}.pid";
47 };
48 restartTriggers = with config; [
49 environment.etc."ppp/ip-pre-up".source
50 environment.etc."ppp/ip-up".source
51 environment.etc."ppp/ip-down".source
52 # sops.secrets."pap-secrets".sopsFile
53 ];
54 };
55 sops.secrets."pap-secrets" = {
56 format = "binary";
57 sopsFile = ./pap-secrets;
58 path = "/etc/ppp/pap-secrets";
59 };
60
61 environment.etc = {
62 "ppp/ip-pre-up".source = let
63 app = pkgs.writeShellApplication {
64 name = "ip-pre-up";
65 runtimeInputs = with pkgs; [ iproute2 ethtool ];
66 text = ''
67 ethtool -K telekom tso off gso off gro off
68
69 ip link del "ifb4${pppInterface}" || true
70 ip link add name "ifb4${pppInterface}" type ifb
71 ip link set "ifb4${pppInterface}" up
72
73 tc qdisc del dev "ifb4${pppInterface}" root || true
74 tc qdisc del dev "${pppInterface}" ingress || true
75 tc qdisc del dev "${pppInterface}" root || true
76
77 tc qdisc add dev "${pppInterface}" handle ffff: ingress
78 tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}"
79 tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 285mbit
80 tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 143mbit
81 '';
82 };
83 in "${app}/bin/${app.meta.mainProgram}";
84 "ppp/ip-up".source = let
85 app = pkgs.writeShellApplication {
86 name = "ip-up";
87 runtimeInputs = with pkgs; [ iproute2 ];
88 text = ''
89 ip route add default via "$5" dev "${pppInterface}" metric 512
90 '';
91 };
92 in "${app}/bin/${app.meta.mainProgram}";
93 "ppp/ip-down".source = let
94 app = pkgs.writeShellApplication {
95 name = "ip-down";
96 runtimeInputs = with pkgs; [ iproute2 ];
97 text = ''
98 ip link del "ifb4${pppInterface}"
99 '';
100 };
101 in "${app}/bin/${app.meta.mainProgram}";
102 };
103
104 systemd.network.networks.${pppInterface} = {
105 matchConfig = {
106 Name = pppInterface;
107 };
108 dns = [ "::1" "127.0.0.1" ];
109 domains = [ "~." ];
110 networkConfig = {
111 LinkLocalAddressing = "no";
112 DNSSEC = true;
113 };
114 };
115
116 services.corerad = {
117 enable = true;
118 settings = {
119 interfaces = [
120 { name = pppInterface;
121 monitor = true;
122 verbose = true;
123 }
124 { name = "lan";
125 advertise = true;
126 verbose = true;
127 prefix = [{ prefix = "::/64"; }];
128 route = [{ prefix = "::/0"; }];
129 rdnss = [{ servers = ["::"]; }];
130 dnssl = [{ domain_names = ["yggdrasil"]; }];
131 # other_config = true;
132 }
133 ];
134
135 debug = {
136 address = "localhost:9430";
137 prometheus = true;
138 };
139 };
140 };
141 services.ndppd = {
142 enable = true;
143 proxies = {
144 ${pppInterface} = {
145 router = true;
146 rules = {
147 lan = {
148 method = "iface";
149 interface = "lan";
150 network = "::/0";
151 };
152 };
153 };
154 };
155 };
156 boot.kernelModules = [ "ifb" ];
157 boot.kernel.sysctl = {
158 "net.ipv6.conf.all.forwarding" = true;
159 "net.ipv6.conf.default.forwarding" = true;
160 "net.ipv4.conf.all.forwarding" = true;
161 "net.ipv4.conf.default.forwarding" = true;
162
163 "net.core.rmem_max" = 4194304;
164 "net.core.wmem_max" = 4194304;
165 };
166 systemd.services."pppd-telekom" = {
167 bindsTo = [ "sys-subsystem-net-devices-telekom.device" ];
168 after = [ "sys-subsystem-net-devices-telekom.device" ];
169 };
170 systemd.services."dhcpcd-${pppInterface}" = {
171 wantedBy = [ "multi-user.target" "network-online.target" "pppd-telekom.service" ];
172 bindsTo = [ "pppd-telekom.service" ];
173 after = [ "pppd-telekom.service" ];
174 wants = [ "network.target" ];
175 before = [ "network-online.target" ];
176
177 path = with pkgs; [ dhcpcd nettools openresolv ];
178 unitConfig.ConditionCapability = "CAP_NET_ADMIN";
179
180 stopIfChanged = true;
181
182 preStart = ''
183 i=0
184
185 while [[ -z "$(${pkgs.iproute2}/bin/ip -6 addr show dev ${pppInterface} scope link)" ]]; do
186 ${pkgs.coreutils}/bin/sleep 0.1
187 i=$((i + 1))
188 if [[ "$i" -ge 10 ]]; then
189 exit 1
190 fi
191 done
192 '';
193
194 postStop = ''
195 for dev in lan; do
196 ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
197 done
198 '';
199
200 serviceConfig = let
201 dhcpcdConf = pkgs.writeText "dhcpcd.conf" ''
202 duid
203 vendorclassid
204 ipv6only
205
206 nooption domain_name_servers, domain_name, domain_search
207 option classless_static_routes
208 option interface_mtu
209
210 option host_name
211 option rapid_commit
212 require dhcp_server_identifier
213 slaac private
214
215 nohook resolv.conf
216 ipv6ra_autoconf
217 iaid 1195061668
218 ipv6rs # enable routing solicitation for WAN adapter
219 ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
220
221 reboot 0
222
223 waitip 6
224 '';
225 in {
226 Type = "forking";
227 PIDFile = "/var/run/dhcpcd/${pppInterface}.pid";
228 RuntimeDirectory = "dhcpcd";
229 ExecStart = "@${pkgs.dhcpcd}/sbin/dhcpcd dhcpcd -q --config ${dhcpcdConf} ${pppInterface}";
230 ExecReload = "${pkgs.dhcpcd}/sbin/dhcpcd --rebind ${pppInterface}";
231 Restart = "always";
232 RestartSec = "5";
233 };
234 };
235 systemd.services.ndppd = {
236 wantedBy = [ "dhcpcd-${pppInterface}.service" ];
237 bindsTo = [ "dhcpcd-${pppInterface}.service" ];
238 after = [ "dhcpcd-${pppInterface}.service" ];
239
240 serviceConfig = {
241 Restart = "always";
242 RestartSec = "5";
243 };
244 };
245 systemd.services.corerad = {
246 wantedBy = [ "dhcpcd-${pppInterface}.service" ];
247 bindsTo = [ "dhcpcd-${pppInterface}.service" ];
248 after = [ "dhcpcd-${pppInterface}.service" ];
249
250 serviceConfig = {
251 Restart = lib.mkForce "always";
252 RestartSec = "5";
253 };
254 };
255 users.users.dhcpcd = {
256 isSystemUser = true;
257 group = "dhcpcd";
258 };
259 users.groups.dhcpcd = {};
260
261 systemd.services.unbound = {
262 wantedBy = [ "dhcpcd-${pppInterface}.service" ];
263 bindsTo = [ "dhcpcd-${pppInterface}.service" ];
264 after = [ "dhcpcd-${pppInterface}.service" ];
265
266 serviceConfig = {
267 Restart = lib.mkForce "always";
268 };
269 };
270 };
271}
diff --git a/hosts/vidhar/network/pap-secrets b/hosts/vidhar/network/pap-secrets
deleted file mode 100644
index 3516de6c..00000000
--- a/hosts/vidhar/network/pap-secrets
+++ /dev/null
@@ -1,26 +0,0 @@
1{
2 "data": "ENC[AES256_GCM,data:BOyWdys7Oja54Ijv5j+kqufdokQe0onnqw/gVxpNOMf+YI/LlzJscaEtGqPh3ehVtYoSWGumCBPrjdq/zhYq4VV/PCtdeu3MnX1CH2B5bH0mFs0eXcqeGK6NErz/b5nEglv4Z19ig2CUDlbvi8h1zZAEjxTNKhT16ItCtJnBCsIoiMl2QcTTWMyh4a02v3wA1UrOQZvFuCgCHmRoBE6vpREyB23gQdrdKLk7D1LLw5C1aZnzQOhFsgs7bVjOcBnmwTao8ntXxw==,iv:X5FgYkl3DGA/lkRsoc+5XrK3Nlp/ldnFigpXpYNfSJE=,tag:qUH7m9NzuVNnOfr3rRgaOg==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": [
9 {
10 "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYTFaTDZRbDd6cFBRSTNN\nVk1kcFJXRG9TT21IMDZsVmtoZjBTNDNjeDFzCkhxNEI2Ujd6SW1STG43eE5EdzZa\nS3phenJZN0RxajBXQ1BnbUhTa3htdFEKLS0tIGVlT3lReHJSQ2UvQ1FST0M0RzVP\nNmxWNzJmNlFPclJTeDUycDJiUzA4Yk0K4JHtkEPY49TGnKPZzEoEZ131RxeQEWkR\nK1ftH2ilr2tUhiErhpqxoTqfAm33xvruqTsePxh1uC7svzKtKBlS2g==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2021-11-15T08:30:09Z",
15 "mac": "ENC[AES256_GCM,data:TAgZ4ktdN9sZPMo1UtwjKdTM2QBjLorcm84HYXTGYNNEorPoqrXAWOvyWRLjx+zxzpRuDLBPQHCkjwkVO2CctxnTaWPMwITbYtQqj/5ZxACuAeX8MaSximB8s5MJK2faCuVXEnFehbnnPr5Fs8ZsgHwu2iH6DU8ScLEkgckzGV0=,iv:keUbKwWfoIIBsp5Rsm2lEba1ZHAozQY2YpA6p5qDBiU=,tag:1llGytMGvOjSVYKJXGUmXg==,type:str]",
16 "pgp": [
17 {
18 "created_at": "2023-01-30T10:58:50Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+cwEt6Gv5oKvym4ceJek+J/5guNpmsLLXWIY5CCCSXUw\npXyQpqxm7LQnasIqYNNsNCVbB1mAu6WU6MKn0BG03YWjr8buLB+7PpwZcxeZzRfD\n0l4BAsl+vKwa2YSMCR+EWYSfeEzEVHqoGBJ60dYXuiFiNZInCik+g69PdhsGygNH\nRtIcRiCB8t94GkvdWySTq5ohi1wKOe224l9evbt4zXntVngCHxixuufLrr3Cj+EE\n=3lw4\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/hosts/vidhar/network/pppoe/default.nix b/hosts/vidhar/network/pppoe/default.nix
new file mode 100644
index 00000000..f652c29d
--- /dev/null
+++ b/hosts/vidhar/network/pppoe/default.nix
@@ -0,0 +1,155 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 inherit (config.networking) pppInterface;
7in {
8 options = {
9 networking.pppInterface = mkOption {
10 type = types.str;
11 default = "ppp";
12 };
13 };
14
15 config = {
16 networking.vlans = {
17 pppoe = {
18 id = 7;
19 interface = "eno2";
20 };
21 };
22
23 services.pppd = {
24 enable = true;
25 package = pkgs.ppp.overrideAttrs (oldAttrs: {
26 patches = [
27 ./no-double-timeout.patch
28 ] ++ (oldAttrs.patches or []);
29 });
30 peers = {
31 o2.config = ''
32 user DSL0004874856014@s93.bbi-o2.de
33 '';
34 };
35 };
36 systemd.services."pppd-o2" = {
37 stopIfChanged = true;
38
39 restartTriggers = with config; [
40 environment.etc."ppp/pap-secrets".source
41 environment.etc."ppp/options".source
42 environment.etc."ppp/ip-pre-up".source
43 environment.etc."ppp/ip-up".source
44 environment.etc."ppp/ip-down".source
45 ];
46
47 serviceConfig.LoadCredential = [
48 "password:${config.sops.secrets."o2-password".path}"
49 ];
50
51 bindsTo = [ "sys-subsystem-net-devices-pppoe.device" ];
52 after = [ "sys-subsystem-net-devices-pppoe.device" ];
53 };
54 sops.secrets."o2-password" = {
55 format = "binary";
56 sopsFile = ./o2-password;
57 };
58
59 environment.etc = {
60 "ppp/options".text = ''
61 nodefaultroute
62 ifname ${pppInterface}
63 lcp-echo-adaptive
64 lcp-echo-failure 10
65 lcp-echo-interval 1
66 maxfail 0
67 mtu 1492
68 mru 1492
69 plugin pppoe.so
70 pppoe-padi-timeout 1
71 pppoe-padi-attempts 10
72 nic-pppoe
73 debug
74 +ipv6
75 '';
76 "ppp/pap-secrets".text = ''
77 DSL0004874856014@s93.bbi-o2.de * @/run/credentials/pppd-o2.service/password *
78 '';
79 "ppp/ip-pre-up".source = pkgs.resholve.writeScript "ip-pre-up" {
80 interpreter = pkgs.runtimeShell;
81 inputs = [ pkgs.iproute2 pkgs.ethtool ];
82 execer = [
83 "cannot:${lib.getExe' pkgs.iproute2 "ip"}"
84 "cannot:${lib.getExe' pkgs.iproute2 "tc"}"
85 ];
86 } ''
87 ethtool -K pppoe tso off gso off gro off
88
89 ip link del "ifb4$1" || true
90 ip link add name "ifb4$1" type ifb
91 ip link set "ifb4$1" up
92
93 tc qdisc del dev "ifb4$1" root || true
94 tc qdisc del dev "$1" ingress || true
95 tc qdisc del dev "$1" root || true
96
97 tc qdisc add dev "$1" handle ffff: ingress
98 tc filter add dev "$1" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4$1"
99 tc qdisc replace dev "ifb4$1" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 175mbit
100 tc qdisc replace dev "$1" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 40mbit
101 '';
102 "ppp/ip-up".source = pkgs.resholve.writeScript "ip-up" {
103 interpreter = pkgs.runtimeShell;
104 inputs = [ pkgs.iproute2 ];
105 execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
106 } ''
107 ip addr add "$4" peer "$5"/32 dev "$1"
108 ip route add default dev "$1" metric 512
109 '';
110 "ppp/ip-down".source = pkgs.resholve.writeScript "ip-down" {
111 interpreter = pkgs.runtimeShell;
112 inputs = [ pkgs.iproute2 ];
113 execer = [ "cannot:${lib.getExe' pkgs.iproute2 "ip"}" ];
114 } ''
115 ip link del "ifb4$1"
116 '';
117 };
118
119 systemd.package = pkgs.systemd.overrideAttrs (oldAttrs: {
120 patches = (oldAttrs.patches or []) ++ [
121 (pkgs.fetchpatch {
122 url = "https://github.com/sysedwinistrator/systemd/commit/b9691a43551739ddacdb8d53a4312964c3ddfa08.patch";
123 hash = "sha256-TLfOTFodLzCVywnF4Xp4BR2Pja0Qq4ItE/yaKkzI414=";
124 })
125 ];
126 });
127
128 systemd.network.networks = {
129 "40-${pppInterface}" = {
130 matchConfig.Name = pppInterface;
131 dns = [ "::1" "127.0.0.1" ];
132 domains = [ "~." ];
133 networkConfig = {
134 DHCP = true;
135 DNSSEC = true;
136 };
137 dhcpV6Config = {
138 PrefixDelegationHint = "::/64";
139 WithoutRA = "solicit";
140 };
141 };
142 };
143
144 boot.kernelModules = [ "ifb" ];
145 boot.kernel.sysctl = {
146 "net.ipv6.conf.all.forwarding" = true;
147 "net.ipv6.conf.default.forwarding" = true;
148 "net.ipv4.conf.all.forwarding" = true;
149 "net.ipv4.conf.default.forwarding" = true;
150
151 "net.core.rmem_max" = 4194304;
152 "net.core.wmem_max" = 4194304;
153 };
154 };
155}
diff --git a/hosts/vidhar/network/pppoe/no-double-timeout.patch b/hosts/vidhar/network/pppoe/no-double-timeout.patch
new file mode 100644
index 00000000..53f41ae1
--- /dev/null
+++ b/hosts/vidhar/network/pppoe/no-double-timeout.patch
@@ -0,0 +1,13 @@
1diff --git i/pppd/plugins/pppoe/discovery.c w/pppd/plugins/pppoe/discovery.c
2index 86bda61..8060558 100644
3--- i/pppd/plugins/pppoe/discovery.c
4+++ w/pppd/plugins/pppoe/discovery.c
5@@ -686,7 +686,7 @@ discovery1(PPPoEConnection *conn, int waitWholeTimeoutForPADO)
6 conn->discoveryState = STATE_SENT_PADI;
7 waitForPADO(conn, timeout, waitWholeTimeoutForPADO);
8
9- timeout *= 2;
10+ // timeout *= 2;
11 } while (conn->discoveryState == STATE_SENT_PADI);
12 }
13
diff --git a/hosts/vidhar/network/pppoe/o2-password b/hosts/vidhar/network/pppoe/o2-password
new file mode 100644
index 00000000..cd3aed78
--- /dev/null
+++ b/hosts/vidhar/network/pppoe/o2-password
@@ -0,0 +1,18 @@
1{
2 "data": "ENC[AES256_GCM,data:mxHA3rrs5Sc50jAP,iv:iW1ua7wjZR8rPwXw21TdFK+fbfosc1CmnrTG34OJ2zM=,tag:pZ/FAHupnKy0wHtF6RN7yA==,type:str]",
3 "sops": {
4 "age": [
5 {
6 "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
7 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUzAvSlJkSFhhRTFLY0VO\nU1VYbFhpMEpxaFhlb2NyS0xDNU5oMm9EZzJnCm5vbTM4c3lFMU5EajhwTGd6MTVx\nZTFmNVlyaVZuRy9hL2VnWFR0TTNEemsKLS0tIDdTemNMTTllQ1pmb0JNTlVGcTlU\nWjQ2MW4yVmtvRng3TlRDbmpHdmRkbUEKtIVAq4aZD6rhtX7+67EE5eOKAtGsVpBg\nPkfjkyV8ifBEx/lwDaJSHpLPfkbI9oArTL8BloodJEEGql5PXZxtvg==\n-----END AGE ENCRYPTED FILE-----\n"
8 },
9 {
10 "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmUk1oZGdjL25YbGRzdFFh\nRllkcU1IM0x6a2M2S0JicDBFYnBxMWluaEFzCjJ3WHozNkw0RThCMG5BNE5uUkZa\nTnV1OHpaSkMrTk9XM1NRWmxlTmRuUFkKLS0tIE9qdXVWOG9CL0MyS1JXbzhmbVdC\nZlRBWm1SSTZWYzBDc1U4ci94a0hMcHcKLgbJSAMUJ9VaXVmYQe+Uj13KrWFe4QvJ\nRcibCyOJH/VO3rmxU8RAkx0jaH448h9klWhs583Od5yNg7GleC+/qg==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2026-04-14T15:24:19Z",
15 "mac": "ENC[AES256_GCM,data:/dr0bXAf0v5K9LdKw7RzTTL8Qw/WqiHqLk0EbahDnFg3cVplV0s+ImCnxmhutv3hxdtMZ2dmLBfb8CYb/ZLc4HtNT/K2iKGQM7pF4+XxIjS35Q1JUcXxLrsGZcpARuCZ0AJnKo8yFgtM64dYcbxHlRwGG4u4Ds9fEHHLUMigNM0=,iv:jfFlfscUB7S1JjL/uBeW3uD4bugCT9Cj/vigGvGXrlA=,tag:suol02QD4jRH/QulWoV21A==,type:str]",
16 "version": "3.12.2"
17 }
18}
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 1edae167..5df73e2f 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -5,15 +5,15 @@ table arp filter {
5 limit lim_arp_local { 5 limit lim_arp_local {
6 rate over 50 mbytes/second burst 50 mbytes 6 rate over 50 mbytes/second burst 50 mbytes
7 } 7 }
8 limit lim_arp_gpon { 8 limit lim_arp_ppp {
9 rate over 7500 kbytes/second burst 7500 kbytes 9 rate over 7500 kbytes/second burst 7500 kbytes
10 } 10 }
11 11
12 counter arp-rx {} 12 counter arp-rx {}
13 counter arp-tx {} 13 counter arp-tx {}
14 14
15 counter arp-ratelimit-gpon-rx {} 15 counter arp-ratelimit-ppp-rx {}
16 counter arp-ratelimit-gpon-tx {} 16 counter arp-ratelimit-ppp-tx {}
17 17
18 counter arp-ratelimit-local-rx {} 18 counter arp-ratelimit-local-rx {}
19 counter arp-ratelimit-local-tx {} 19 counter arp-ratelimit-local-tx {}
@@ -22,8 +22,8 @@ table arp filter {
22 type filter hook input priority filter 22 type filter hook input priority filter
23 policy accept 23 policy accept
24 24
25 iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop 25 iifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-rx drop
26 iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop 26 iifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-rx drop
27 27
28 counter name arp-rx 28 counter name arp-rx
29 } 29 }
@@ -32,8 +32,8 @@ table arp filter {
32 type filter hook output priority filter 32 type filter hook output priority filter
33 policy accept 33 policy accept
34 34
35 oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop 35 oifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-tx drop
36 oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop 36 oifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-tx drop
37 37
38 counter name arp-tx 38 counter name arp-tx
39 } 39 }
@@ -47,11 +47,11 @@ table inet filter {
47 limit lim_icmp_local { 47 limit lim_icmp_local {
48 rate over 50 mbytes/second burst 50 mbytes 48 rate over 50 mbytes/second burst 50 mbytes
49 } 49 }
50 limit lim_icmp_gpon { 50 limit lim_icmp_ppp {
51 rate over 7500 kbytes/second burst 7500 kbytes 51 rate over 7500 kbytes/second burst 7500 kbytes
52 } 52 }
53 53
54 counter icmp-ratelimit-gpon-fw {} 54 counter icmp-ratelimit-ppp-fw {}
55 counter icmp-ratelimit-local-fw {} 55 counter icmp-ratelimit-local-fw {}
56 56
57 counter icmp-fw {} 57 counter icmp-fw {}
@@ -59,7 +59,9 @@ table inet filter {
59 counter invalid-fw {} 59 counter invalid-fw {}
60 counter fw-lo {} 60 counter fw-lo {}
61 counter fw-lan {} 61 counter fw-lan {}
62 counter fw-gpon {} 62 counter fw-ppp {}
63 counter fw-kimai {}
64 counter fw-podman {}
63 65
64 counter fw-cups {} 66 counter fw-cups {}
65 67
@@ -74,7 +76,7 @@ table inet filter {
74 counter invalid-local4-rx {} 76 counter invalid-local4-rx {}
75 counter invalid-local6-rx {} 77 counter invalid-local6-rx {}
76 78
77 counter icmp-ratelimit-gpon-rx {} 79 counter icmp-ratelimit-ppp-rx {}
78 counter icmp-ratelimit-local-rx {} 80 counter icmp-ratelimit-local-rx {}
79 counter icmp-rx {} 81 counter icmp-rx {}
80 82
@@ -94,6 +96,10 @@ table inet filter {
94 counter immich-rx {} 96 counter immich-rx {}
95 counter paperless-rx {} 97 counter paperless-rx {}
96 counter hledger-rx {} 98 counter hledger-rx {}
99 counter audiobookshelf-rx {}
100 counter kimai-rx {}
101 counter changedetection-rx {}
102 counter vikunja-rx {}
97 103
98 counter established-rx {} 104 counter established-rx {}
99 105
@@ -105,7 +111,7 @@ table inet filter {
105 111
106 counter tx-lo {} 112 counter tx-lo {}
107 113
108 counter icmp-ratelimit-gpon-tx {} 114 counter icmp-ratelimit-ppp-tx {}
109 counter icmp-ratelimit-local-tx {} 115 counter icmp-ratelimit-local-tx {}
110 counter icmp-tx {} 116 counter icmp-tx {}
111 117
@@ -125,15 +131,19 @@ table inet filter {
125 counter immich-tx {} 131 counter immich-tx {}
126 counter paperless-tx {} 132 counter paperless-tx {}
127 counter hledger-tx {} 133 counter hledger-tx {}
134 counter audiobookshelf-tx {}
135 counter kimai-tx {}
136 counter changedetection-tx {}
137 counter vikunja-tx {}
128 138
129 counter tx {} 139 counter tx {}
130 140
131 141
132 chain forward_icmp_accept { 142 chain forward_icmp_accept {
133 oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop 143 oifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
134 iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop 144 iifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
135 oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 145 oifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
136 iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 146 iifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
137 counter name icmp-fw accept 147 counter name icmp-fw accept
138 } 148 }
139 chain forward { 149 chain forward {
@@ -146,10 +156,17 @@ table inet filter {
146 156
147 iifname lo counter name fw-lo accept 157 iifname lo counter name fw-lo accept
148 158
149 oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept 159 oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
150 iifname lan oifname { gpon, bifrost } counter name fw-lan accept 160 iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept
161 iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept
162 iifname podman0 ip saddr 10.88.0.5 oifname @pppInterface@ counter name fw-podman accept
151 163
152 iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept 164 iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept
165 iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept
166 iifname @pppInterface@ oifname podman0 ip daddr 10.88.0.5 ct state { established, related } counter name fw-podman accept
167
168 iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
169 iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
153 170
154 171
155 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop 172 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -170,22 +187,22 @@ table inet filter {
170 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject 187 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
171 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject 188 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
172 189
173 iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop 190 iifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-rx drop
174 iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop 191 iifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
175 meta l4proto $icmp_protos counter name icmp-rx accept 192 meta l4proto $icmp_protos counter name icmp-rx accept
176 193
177 iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept 194 iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
178 iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept 195 iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
179 196
180 iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept 197 iifname { lan, mgmt, wifibh, yggdrasil, podman0 } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
181 198
182 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept 199 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
183 200
184 iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept 201 iifname { lan, mgmt, @pppInterface@ } meta protocol ip udp dport 51820 counter name wg-rx accept
185 iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept 202 iifname { lan, mgmt, @pppInterface@ } meta protocol ip6 udp dport 51821 counter name wg-rx accept
186 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept 203 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
187 204
188 iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept 205 iifname @pppInterface@ meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
189 206
190 iifname mgmt udp dport 123 counter name ntp-rx accept 207 iifname mgmt udp dport 123 counter name ntp-rx accept
191 208
@@ -203,6 +220,9 @@ table inet filter {
203 iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept 220 iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
204 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept 221 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
205 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept 222 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
223 iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
224 iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept
225 iifname bifrost tcp dport 3456 ip6 saddr $bifrost_surtr counter name vikunja-rx accept
206 226
207 ct state { established, related } counter name established-rx accept 227 ct state { established, related } counter name established-rx accept
208 228
@@ -220,8 +240,8 @@ table inet filter {
220 240
221 oifname lo counter name tx-lo accept 241 oifname lo counter name tx-lo accept
222 242
223 oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop 243 oifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-tx drop
224 oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop 244 oifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
225 meta l4proto $icmp_protos counter name icmp-tx accept 245 meta l4proto $icmp_protos counter name icmp-tx accept
226 246
227 247
@@ -254,6 +274,9 @@ table inet filter {
254 iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept 274 iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
255 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept 275 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
256 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept 276 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
277 iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
278 iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept
279 iifname bifrost tcp sport 3456 ip6 daddr $bifrost_surtr counter name vikunja-tx accept
257 280
258 281
259 counter name tx 282 counter name tx
@@ -261,28 +284,28 @@ table inet filter {
261} 284}
262 285
263table inet nat { 286table inet nat {
264 counter gpon-nat {} 287 counter ppp-nat {}
265 # counter container-nat {} 288 counter kimai-nat {}
266 289
267 chain postrouting { 290 chain postrouting {
268 type nat hook postrouting priority srcnat 291 type nat hook postrouting priority srcnat
269 policy accept 292 policy accept
270 293
271 294
272 meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade 295 meta nfproto ipv4 oifname @pppInterface@ counter name ppp-nat masquerade
273 # iifname ve-* oifname gpon counter name container-nat masquerade 296 iifname ve-kimai oifname @pppInterface@ counter name kimai-nat masquerade
274 } 297 }
275} 298}
276 299
277table inet mss_clamp { 300table inet mss_clamp {
278 counter gpon-mss-clamp {} 301 counter ppp-mss-clamp {}
279 302
280 chain postrouting { 303 chain postrouting {
281 type filter hook postrouting priority mangle 304 type filter hook postrouting priority mangle
282 policy accept 305 policy accept
283 306
284 307
285 oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu 308 oifname @pppInterface@ tcp flags & (syn|rst) == syn counter name ppp-mss-clamp tcp option maxseg size set rt mtu
286 } 309 }
287} 310}
288 311
@@ -417,7 +440,7 @@ table inet dscpclassify {
417 chain postrouting { 440 chain postrouting {
418 type filter hook postrouting priority filter + 1; policy accept 441 type filter hook postrouting priority filter + 1; policy accept
419 442
420 oifname != gpon return 443 oifname != @pppInterface@ return
421 444
422 ip dscp cs0 goto ct_set_cs0 445 ip dscp cs0 goto ct_set_cs0
423 ip dscp lephb goto ct_set_lephb 446 ip dscp lephb goto ct_set_lephb
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-16 22:39:49 +0000