3 files changed, 37 insertions, 119 deletions
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 29d4ba92..a1d1b172 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -21,7 +21,7 @@
          { address = "10.141.1.1"; prefixLength = 24; }
        ];
      };
-      interfaces."wifibh" = {
+      interfaces."dmz01" = {
        ipv4.addresses = [
          { address = "10.141.2.1"; prefixLength = 24; }
        ];
@@ -32,11 +32,11 @@
          id = 2;
          interface = "eno2";
        };
-        "eno2.lan" = {
+        lan = {
          id = 3;
          interface = "eno2";
        };
-        wifibh = {
+        dmz01 = {
          id = 4;
          interface = "eno2";
        };
@@ -70,6 +70,13 @@
          option domain-name-servers 10.141.1.1;
          option broadcast-address 10.141.1.255;
        }
+        subnet 10.141.2.0 netmask 255.255.255.0 {
+          range 10.141.2.128 10.141.2.254;
+          option domain-name-servers 10.141.2.1;
+          option broadcast-address 10.141.2.255;
+          option routers 10.141.2.1;
+        }
      '';
      machines = [
        {
@@ -89,81 +96,16 @@
        }
      ];
    };
-    systemd.network = {
+    systemd.network.networks = {
-      netdevs = {
+      "eno1" = {
-        "wifibh01" = {
+        matchConfig.Name = "eno1";
-          netdevConfig = {
+        linkConfig = {
-            Name = "wifibh01";
+          ActivationPolicy = "down";
-            Kind = "gretap";
-          };
-          tunnelConfig = {
-            Local = "10.141.2.1";
-            Remote = "10.141.2.2";
-          };
-        };
-        "wifibh01.lan" = {
-          netdevConfig = {
-            Name = "wifibh01.lan";
-            Kind = "vlan";
-          };
-          vlanConfig = {
-            Id = 2;
-          };
-        };
-        lan = {
-          netdevConfig = {
-            Name = "lan";
-            Kind = "bridge";
-          };
        };
      };
+      "eno2" = {
-      networks = {
+        matchConfig.Name = "eno2";
-        "eno1" = {
+        networkConfig.LinkLocalAddressing = "no";
-          matchConfig.Name = "eno1";
-          linkConfig = {
-            ActivationPolicy = "down";
-          };
-        };
-        "eno2" = {
-          matchConfig.Name = "eno2";
-          networkConfig.LinkLocalAddressing = "no";
-        };
-        "40-wifibh" = {
-          matchConfig.Name = "wifibh";
-          networkConfig = {
-            Tunnel = ["wifibh01"];
-          };
-        };
-        "wifibh01" = {
-          matchConfig.Name = "wifibh01";
-          linkConfig = {
-            MACAddress = "02:01:00:00:00:00";
-            RequiredForOnline = false;
-          };
-          networkConfig = {
-            LinkLocalAddressing = "no";
-            VLAN = ["wifibh01.lan"];
-          };
-        };
-        "wifibh01.lan" = {
-          matchConfig.Name = "wifibh01.lan";
-          networkConfig.Bridge = "lan";
-          extraConfig = ''
-            [Bridge]
-            HairPin = true
-            Cost = 10
-          '';
-        };
-        "40-eno2.lan" = {
-          matchConfig.Name = "eno2.lan";
-          networkConfig.Bridge = "lan";
-          extraConfig = ''
-            [Bridge]
-            HairPin = false
-            Cost = 1
-          '';
-        };
      };
    };
  };
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix
index 9c9a57b8..ae2caec2 100644
--- a/hosts/vidhar/network/dsl.nix
+++ b/hosts/vidhar/network/dsl.nix
@@ -95,6 +95,13 @@ in {
            rdnss = [{ servers = ["::"]; }];
            dnssl = [{ domain_names = ["yggdrasil"]; }];
          }
+          { name = "dmz01";
+            advertise = true;
+            verbose = true;
+            prefix = [{ prefix = "::/64"; }];
+            route = [{ prefix = "::/0"; }];
+            rdnss = [{ servers = ["::"]; }];
+          }
        ];
        debug = {
@@ -114,6 +121,11 @@ in {
              interface = "lan";
              network = "::/0";
            };
+            dmz01 = {
+              method = "iface";
+              interface = "dmz01";
+              network = "::/0";
+            };
          };
        };
      };
@@ -156,7 +168,7 @@ in {
      '';
      postStop = ''
-        for dev in lan; do
+        for dev in lan dmz01; do
          ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
        done
      '';
@@ -181,6 +193,7 @@ in {
          iaid 1195061668
          ipv6rs                 # enable routing solicitation for WAN adapter
          ia_pd 1 lan/0/64/0     # request a PD and assign it to the LAN
+          ia_pd 1 dmz01/1/64/0   # request a PD and assign it to dmz01
          reboot 0
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 0a70da39..fb04e449 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -80,7 +80,6 @@ table inet filter {
  counter dns-rx {}
  counter wg-rx {}
  counter yggdrasil-gre-rx {}
-  counter wifibh-gre-rx {}
  counter ipv6-pd-rx {}
  counter ntp-rx {}
  counter dhcp-rx {}
@@ -107,7 +106,6 @@ table inet filter {
  counter dns-tx {}
  counter wg-tx {}
  counter yggdrasil-gre-tx {}
-  counter wifibh-gre-tx {}
  counter ipv6-pd-tx {}
  counter ntp-tx {}
  counter dhcp-tx {}
@@ -138,7 +136,8 @@ table inet filter {
    oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
    iifname lan oifname dsl counter name fw-lan accept
-    iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept
+    iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -166,19 +165,18 @@ table inet filter {
    iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept
    iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept
-    iifname { lan, mgmt } tcp dport 53 counter name dns-rx accept
+    iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept
-    iifname { lan, mgmt } udp dport 53 counter name dns-rx accept
+    iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept
    iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
    iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
-    iifname wifibh meta l4proto gre counter name wifibh-gre-rx accept
    iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
    iifname mgmt udp dport 123 counter name ntp-rx accept
-    iifname { lan, mgmt } udp dport 67 counter name dhcp-rx accept
+    iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept
    iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept
    iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
@@ -217,7 +215,6 @@ table inet filter {
    meta protocol ip udp sport 51820 counter name wg-tx
    meta protocol ip6 udp sport 51821 counter name wg-tx
    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
-    iifname wifibh meta l4proto gre counter name wifibh-gre-tx
    meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx
@@ -238,40 +235,6 @@ table inet filter {
  }
 }
-table bridge filter {
-  counter invalid-fw {}
-  counter wifibh-fw {}
-  counter lan-fw {}
-  chain forward {
-    type filter hook forward priority filter
-    policy drop
-    log level debug prefix "bridge forward: "
-    ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
-    iifname "wifibh01.lan" counter name wifibh-fw accept
-    iifname "eno2.lan" counter name lan-fw accept
-  }
-  chain input {
-    type filter hook input priority filter
-    policy accept
-    
-    log level debug prefix "bridge input: "
-  }
-  chain output {
-    type filter hook output priority filter
-    policy accept
-    
-    log level debug prefix "bridge output: "
-  }
-}
 table ip nat {
  counter dsl-nat {}

diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 29d4ba92..a1d1b172 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix
@@ -21,7 +21,7 @@
21	{ address = "10.141.1.1"; prefixLength = 24; }	21	{ address = "10.141.1.1"; prefixLength = 24; }
22	];	22	];
23	};	23	};
24	interfaces."wifibh" = {	24	interfaces."dmz01" = {
25	ipv4.addresses = [	25	ipv4.addresses = [
26	{ address = "10.141.2.1"; prefixLength = 24; }	26	{ address = "10.141.2.1"; prefixLength = 24; }
27	];	27	];
@@ -32,11 +32,11 @@
32	id = 2;	32	id = 2;
33	interface = "eno2";	33	interface = "eno2";
34	};	34	};
35	"eno2.lan" = {	35	lan = {
36	id = 3;	36	id = 3;
37	interface = "eno2";	37	interface = "eno2";
38	};	38	};
39	wifibh = {	39	dmz01 = {
40	id = 4;	40	id = 4;
41	interface = "eno2";	41	interface = "eno2";
42	};	42	};
@@ -70,6 +70,13 @@
70	option domain-name-servers 10.141.1.1;	70	option domain-name-servers 10.141.1.1;
71	option broadcast-address 10.141.1.255;	71	option broadcast-address 10.141.1.255;
72	}	72	}
		73
		74	subnet 10.141.2.0 netmask 255.255.255.0 {
		75	range 10.141.2.128 10.141.2.254;
		76	option domain-name-servers 10.141.2.1;
		77	option broadcast-address 10.141.2.255;
		78	option routers 10.141.2.1;
		79	}
73	'';	80	'';
74	machines = [	81	machines = [
75	{	82	{
@@ -89,81 +96,16 @@
89	}	96	}
90	];	97	];
91	};	98	};
92	systemd.network = {	99	systemd.network.networks = {
93	netdevs = {	100	"eno1" = {
94	"wifibh01" = {	101	matchConfig.Name = "eno1";
95	netdevConfig = {	102	linkConfig = {
96	Name = "wifibh01";	103	ActivationPolicy = "down";
97	Kind = "gretap";
98	};
99	tunnelConfig = {
100	Local = "10.141.2.1";
101	Remote = "10.141.2.2";
102	};
103	};
104	"wifibh01.lan" = {
105	netdevConfig = {
106	Name = "wifibh01.lan";
107	Kind = "vlan";
108	};
109	vlanConfig = {
110	Id = 2;
111	};
112	};
113	lan = {
114	netdevConfig = {
115	Name = "lan";
116	Kind = "bridge";
117	};
118	};	104	};
119	};	105	};
120		106	"eno2" = {
121	networks = {	107	matchConfig.Name = "eno2";
122	"eno1" = {	108	networkConfig.LinkLocalAddressing = "no";
123	matchConfig.Name = "eno1";
124	linkConfig = {
125	ActivationPolicy = "down";
126	};
127	};
128	"eno2" = {
129	matchConfig.Name = "eno2";
130	networkConfig.LinkLocalAddressing = "no";
131	};
132	"40-wifibh" = {
133	matchConfig.Name = "wifibh";
134	networkConfig = {
135	Tunnel = ["wifibh01"];
136	};
137	};
138	"wifibh01" = {
139	matchConfig.Name = "wifibh01";
140	linkConfig = {
141	MACAddress = "02:01:00:00:00:00";
142	RequiredForOnline = false;
143	};
144	networkConfig = {
145	LinkLocalAddressing = "no";
146	VLAN = ["wifibh01.lan"];
147	};
148	};
149	"wifibh01.lan" = {
150	matchConfig.Name = "wifibh01.lan";
151	networkConfig.Bridge = "lan";
152	extraConfig = ''
153	[Bridge]
154	HairPin = true
155	Cost = 10
156	'';
157	};
158	"40-eno2.lan" = {
159	matchConfig.Name = "eno2.lan";
160	networkConfig.Bridge = "lan";
161	extraConfig = ''
162	[Bridge]
163	HairPin = false
164	Cost = 1
165	'';
166	};
167	};	109	};
168	};	110	};
169	};	111	};


diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 9c9a57b8..ae2caec2 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix
@@ -95,6 +95,13 @@ in {
95	rdnss = [{ servers = ["::"]; }];	95	rdnss = [{ servers = ["::"]; }];
96	dnssl = [{ domain_names = ["yggdrasil"]; }];	96	dnssl = [{ domain_names = ["yggdrasil"]; }];
97	}	97	}
		98	{ name = "dmz01";
		99	advertise = true;
		100	verbose = true;
		101	prefix = [{ prefix = "::/64"; }];
		102	route = [{ prefix = "::/0"; }];
		103	rdnss = [{ servers = ["::"]; }];
		104	}
98	];	105	];
99		106
100	debug = {	107	debug = {
@@ -114,6 +121,11 @@ in {
114	interface = "lan";	121	interface = "lan";
115	network = "::/0";	122	network = "::/0";
116	};	123	};
		124	dmz01 = {
		125	method = "iface";
		126	interface = "dmz01";
		127	network = "::/0";
		128	};
117	};	129	};
118	};	130	};
119	};	131	};
@@ -156,7 +168,7 @@ in {
156	'';	168	'';
157		169
158	postStop = ''	170	postStop = ''
159	for dev in lan; do	171	for dev in lan dmz01; do
160	${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global \| ${pkgs.gnugrep}/bin/grep inet6 \| ${pkgs.gawk}/bin/awk '{ print $2; }' \| ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"	172	${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global \| ${pkgs.gnugrep}/bin/grep inet6 \| ${pkgs.gawk}/bin/awk '{ print $2; }' \| ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
161	done	173	done
162	'';	174	'';
@@ -181,6 +193,7 @@ in {
181	iaid 1195061668	193	iaid 1195061668
182	ipv6rs # enable routing solicitation for WAN adapter	194	ipv6rs # enable routing solicitation for WAN adapter
183	ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN	195	ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
		196	ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01
184		197
185	reboot 0	198	reboot 0
186		199


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 0a70da39..fb04e449 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -80,7 +80,6 @@ table inet filter {
80	counter dns-rx {}	80	counter dns-rx {}
81	counter wg-rx {}	81	counter wg-rx {}
82	counter yggdrasil-gre-rx {}	82	counter yggdrasil-gre-rx {}
83	counter wifibh-gre-rx {}
84	counter ipv6-pd-rx {}	83	counter ipv6-pd-rx {}
85	counter ntp-rx {}	84	counter ntp-rx {}
86	counter dhcp-rx {}	85	counter dhcp-rx {}
@@ -107,7 +106,6 @@ table inet filter {
107	counter dns-tx {}	106	counter dns-tx {}
108	counter wg-tx {}	107	counter wg-tx {}
109	counter yggdrasil-gre-tx {}	108	counter yggdrasil-gre-tx {}
110	counter wifibh-gre-tx {}
111	counter ipv6-pd-tx {}	109	counter ipv6-pd-tx {}
112	counter ntp-tx {}	110	counter ntp-tx {}
113	counter dhcp-tx {}	111	counter dhcp-tx {}
@@ -138,7 +136,8 @@ table inet filter {
138	oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept	136	oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
139		137
140	iifname lan oifname dsl counter name fw-lan accept	138	iifname lan oifname dsl counter name fw-lan accept
141	iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept	139	iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
		140
142		141
143		142
144	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop	143	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -166,19 +165,18 @@ table inet filter {
166	iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept	165	iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept
167	iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept	166	iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept
168		167
169	iifname { lan, mgmt } tcp dport 53 counter name dns-rx accept	168	iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept
170	iifname { lan, mgmt } udp dport 53 counter name dns-rx accept	169	iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept
171		170
172	iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept	171	iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
173	iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept	172	iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
174	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept	173	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
175	iifname wifibh meta l4proto gre counter name wifibh-gre-rx accept
176		174
177	iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept	175	iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
178		176
179	iifname mgmt udp dport 123 counter name ntp-rx accept	177	iifname mgmt udp dport 123 counter name ntp-rx accept
180		178
181	iifname { lan, mgmt } udp dport 67 counter name dhcp-rx accept	179	iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept
182		180
183	iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept	181	iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept
184	iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept	182	iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
@@ -217,7 +215,6 @@ table inet filter {
217	meta protocol ip udp sport 51820 counter name wg-tx	215	meta protocol ip udp sport 51820 counter name wg-tx
218	meta protocol ip6 udp sport 51821 counter name wg-tx	216	meta protocol ip6 udp sport 51821 counter name wg-tx
219	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx	217	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
220	iifname wifibh meta l4proto gre counter name wifibh-gre-tx
221		218
222	meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx	219	meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx
223		220
@@ -238,40 +235,6 @@ table inet filter {
238	}	235	}
239	}	236	}
240		237
241	table bridge filter {
242	counter invalid-fw {}
243	counter wifibh-fw {}
244	counter lan-fw {}
245
246	chain forward {
247	type filter hook forward priority filter
248	policy drop
249
250
251	log level debug prefix "bridge forward: "
252
253
254	ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
255
256	iifname "wifibh01.lan" counter name wifibh-fw accept
257	iifname "eno2.lan" counter name lan-fw accept
258	}
259
260	chain input {
261	type filter hook input priority filter
262	policy accept
263
264	log level debug prefix "bridge input: "
265	}
266
267	chain output {
268	type filter hook output priority filter
269	policy accept
270
271	log level debug prefix "bridge output: "
272	}
273	}
274
275	table ip nat {	238	table ip nat {
276	counter dsl-nat {}	239	counter dsl-nat {}
277		240