From ac71bc3f6216a247615ce36c6eddf25365b00a76 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 13 Jan 2022 23:16:21 +0100
Subject: vidhar: ...
---
hosts/vidhar/network/default.nix | 67 +++++++++++++++++++++++++++++++---------
hosts/vidhar/network/dsl.nix | 15 +--------
hosts/vidhar/network/ruleset.nft | 30 +++++++++++++++---
3 files changed, 79 insertions(+), 33 deletions(-)
(limited to 'hosts/vidhar')
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 81dac652..e3d7dd14 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -21,7 +21,7 @@
{ address = "10.141.1.1"; prefixLength = 24; }
];
};
- interfaces."dmz01" = {
+ interfaces."wifibh" = {
ipv4.addresses = [
{ address = "10.141.2.1"; prefixLength = 24; }
];
@@ -32,11 +32,11 @@
id = 2;
interface = "eno2";
};
- lan = {
+ "eno2.lan" = {
id = 3;
interface = "eno2";
};
- dmz01 = {
+ wifibh = {
id = 4;
interface = "eno2";
};
@@ -70,13 +70,6 @@
option domain-name-servers 10.141.1.1;
option broadcast-address 10.141.1.255;
}
-
- subnet 10.141.2.0 netmask 255.255.255.0 {
- range 10.141.2.128 10.141.2.254;
- option domain-name-servers 10.141.2.1;
- option broadcast-address 10.141.2.255;
- option routers 10.141.2.1;
- }
'';
machines = [
{
@@ -96,10 +89,56 @@
}
];
};
- systemd.network.networks = {
- "eno2" = {
- matchConfig.Name = "eno2";
- networkConfig.LinkLocalAddressing = "no";
+ systemd.network = {
+ netdevs = {
+ "wifibh01" = {
+ netdevConfig = {
+ Name = "wifibh01";
+ Kind = "gretap";
+ };
+ tunnelConfig = {
+ Local = "10.141.2.1";
+ Remote = "10.141.2.2";
+ };
+ };
+ "wifibh01.lan" = {
+ netdevConfig = {
+ Name = "wifibh01.lan";
+ Kind = "vlan";
+ };
+ vlanConfig = {
+ VLAN = "2";
+ };
+ };
+ lan = {
+ netdevConfig = {
+ Name = "lan";
+ Kind = "bridge";
+ };
+ };
+ };
+
+ networks = {
+ "eno2" = {
+ matchConfig.Name = "eno2";
+ networkConfig.LinkLocalAddressing = "no";
+ };
+ "wifibh01.lan" = {
+ matchConfig.Name = "wifibh01.lan";
+ networkConfig.Bridge = "lan";
+ bridgeConfig = {
+ HairPin = true;
+ Cost = "10";
+ };
+ };
+ "40-eno2.lan" = {
+ matchConfig.Name = "eno2.lan";
+ networkConfig.Bridge = "lan";
+ bridgeConfig = {
+ HairPin = false;
+ Cost = "1";
+ };
+ };
};
};
};
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix
index ae2caec2..9c9a57b8 100644
--- a/hosts/vidhar/network/dsl.nix
+++ b/hosts/vidhar/network/dsl.nix
@@ -95,13 +95,6 @@ in {
rdnss = [{ servers = ["::"]; }];
dnssl = [{ domain_names = ["yggdrasil"]; }];
}
- { name = "dmz01";
- advertise = true;
- verbose = true;
- prefix = [{ prefix = "::/64"; }];
- route = [{ prefix = "::/0"; }];
- rdnss = [{ servers = ["::"]; }];
- }
];
debug = {
@@ -121,11 +114,6 @@ in {
interface = "lan";
network = "::/0";
};
- dmz01 = {
- method = "iface";
- interface = "dmz01";
- network = "::/0";
- };
};
};
};
@@ -168,7 +156,7 @@ in {
'';
postStop = ''
- for dev in lan dmz01; do
+ for dev in lan; do
${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
done
'';
@@ -193,7 +181,6 @@ in {
iaid 1195061668
ipv6rs # enable routing solicitation for WAN adapter
ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN
- ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01
reboot 0
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index fb04e449..c4c2fbe6 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -80,6 +80,7 @@ table inet filter {
counter dns-rx {}
counter wg-rx {}
counter yggdrasil-gre-rx {}
+ counter wifibh-gre-rx {}
counter ipv6-pd-rx {}
counter ntp-rx {}
counter dhcp-rx {}
@@ -106,6 +107,7 @@ table inet filter {
counter dns-tx {}
counter wg-tx {}
counter yggdrasil-gre-tx {}
+ counter wifibh-gre-tx {}
counter ipv6-pd-tx {}
counter ntp-tx {}
counter dhcp-tx {}
@@ -136,8 +138,7 @@ table inet filter {
oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
iifname lan oifname dsl counter name fw-lan accept
- iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
-
+ iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept
limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -165,18 +166,19 @@ table inet filter {
iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept
iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept
- iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept
- iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept
+ iifname { lan, mgmt } tcp dport 53 counter name dns-rx accept
+ iifname { lan, mgmt } udp dport 53 counter name dns-rx accept
iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
+ iifname wifibh meta l4proto gre counter name wifibh-gre-rx accept
iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
iifname mgmt udp dport 123 counter name ntp-rx accept
- iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept
+ iifname { lan, mgmt } udp dport 67 counter name dhcp-rx accept
iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept
iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
@@ -215,6 +217,7 @@ table inet filter {
meta protocol ip udp sport 51820 counter name wg-tx
meta protocol ip6 udp sport 51821 counter name wg-tx
iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
+ iifname wifibh meta l4proto gre counter name wifibh-gre-tx
meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx
@@ -235,6 +238,23 @@ table inet filter {
}
}
+table bridge filter {
+ counter br-invalid-fw {}
+ counter br-wifibh-fw {}
+ counter br-lan-fw {}
+
+ chain forward {
+ type filter hook forward priority filter
+ policy drop
+
+
+ ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
+
+ iifname "wifibh01.lan" counter name wifibh-fw accept
+ iifname "eno2.lan" counter name lan-fw accept
+ }
+}
+
table ip nat {
counter dsl-nat {}
--
cgit v1.2.3