From ac71bc3f6216a247615ce36c6eddf25365b00a76 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 13 Jan 2022 23:16:21 +0100
Subject: vidhar: ...

---
 hosts/vidhar/network/default.nix | 67 +++++++++++++++++++++++++++++++---------
 hosts/vidhar/network/dsl.nix     | 15 +--------
 hosts/vidhar/network/ruleset.nft | 30 +++++++++++++++---
 3 files changed, 79 insertions(+), 33 deletions(-)

(limited to 'hosts')

diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 81dac652..e3d7dd14 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -21,7 +21,7 @@
           { address = "10.141.1.1"; prefixLength = 24; }
         ];
       };
-      interfaces."dmz01" = {
+      interfaces."wifibh" = {
         ipv4.addresses = [
           { address = "10.141.2.1"; prefixLength = 24; }
         ];
@@ -32,11 +32,11 @@
           id = 2;
           interface = "eno2";
         };
-        lan = {
+        "eno2.lan" = {
           id = 3;
           interface = "eno2";
         };
-        dmz01 = {
+        wifibh = {
           id = 4;
           interface = "eno2";
         };
@@ -70,13 +70,6 @@
           option domain-name-servers 10.141.1.1;
           option broadcast-address 10.141.1.255;
         }
-
-        subnet 10.141.2.0 netmask 255.255.255.0 {
-          range 10.141.2.128 10.141.2.254;
-          option domain-name-servers 10.141.2.1;
-          option broadcast-address 10.141.2.255;
-          option routers 10.141.2.1;
-        }
       '';
       machines = [
         {
@@ -96,10 +89,56 @@
         }
       ];
     };
-    systemd.network.networks = {
-      "eno2" = {
-        matchConfig.Name = "eno2";
-        networkConfig.LinkLocalAddressing = "no";
+    systemd.network = {
+      netdevs = {
+        "wifibh01" = {
+          netdevConfig = {
+            Name = "wifibh01";
+            Kind = "gretap";
+          };
+          tunnelConfig = {
+            Local = "10.141.2.1";
+            Remote = "10.141.2.2";
+          };
+        };
+        "wifibh01.lan" = {
+          netdevConfig = {
+            Name = "wifibh01.lan";
+            Kind = "vlan";
+          };
+          vlanConfig = {
+            VLAN = "2";
+          };
+        };
+        lan = {
+          netdevConfig = {
+            Name = "lan";
+            Kind = "bridge";
+          };
+        };
+      };
+
+      networks = {
+        "eno2" = {
+          matchConfig.Name = "eno2";
+          networkConfig.LinkLocalAddressing = "no";
+        };
+        "wifibh01.lan" = {
+          matchConfig.Name = "wifibh01.lan";
+          networkConfig.Bridge = "lan";
+          bridgeConfig = {
+            HairPin = true;
+            Cost = "10";
+          };
+        };
+        "40-eno2.lan" = {
+          matchConfig.Name = "eno2.lan";
+          networkConfig.Bridge = "lan";
+          bridgeConfig = {
+            HairPin = false;
+            Cost = "1";
+          };
+        };
       };
     };
   };
diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix
index ae2caec2..9c9a57b8 100644
--- a/hosts/vidhar/network/dsl.nix
+++ b/hosts/vidhar/network/dsl.nix
@@ -95,13 +95,6 @@ in {
             rdnss = [{ servers = ["::"]; }];
             dnssl = [{ domain_names = ["yggdrasil"]; }];
           }
-          { name = "dmz01";
-            advertise = true;
-            verbose = true;
-            prefix = [{ prefix = "::/64"; }];
-            route = [{ prefix = "::/0"; }];
-            rdnss = [{ servers = ["::"]; }];
-          }
         ];
 
         debug = {
@@ -121,11 +114,6 @@ in {
               interface = "lan";
               network = "::/0";
             };
-            dmz01 = {
-              method = "iface";
-              interface = "dmz01";
-              network = "::/0";
-            };
           };
         };
       };
@@ -168,7 +156,7 @@ in {
       '';
 
       postStop = ''
-        for dev in lan dmz01; do
+        for dev in lan; do
           ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.gnugrep}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}"
         done
       '';
@@ -193,7 +181,6 @@ in {
           iaid 1195061668
           ipv6rs                 # enable routing solicitation for WAN adapter
           ia_pd 1 lan/0/64/0     # request a PD and assign it to the LAN
-          ia_pd 1 dmz01/1/64/0   # request a PD and assign it to dmz01
 
           reboot 0
 
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index fb04e449..c4c2fbe6 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -80,6 +80,7 @@ table inet filter {
   counter dns-rx {}
   counter wg-rx {}
   counter yggdrasil-gre-rx {}
+  counter wifibh-gre-rx {}
   counter ipv6-pd-rx {}
   counter ntp-rx {}
   counter dhcp-rx {}
@@ -106,6 +107,7 @@ table inet filter {
   counter dns-tx {}
   counter wg-tx {}
   counter yggdrasil-gre-tx {}
+  counter wifibh-gre-tx {}
   counter ipv6-pd-tx {}
   counter ntp-tx {}
   counter dhcp-tx {}
@@ -136,8 +138,7 @@ table inet filter {
     oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
 
     iifname lan oifname dsl counter name fw-lan accept
-    iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
-
+    iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept
 
 
     limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -165,18 +166,19 @@ table inet filter {
     iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept
     iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept
 
-    iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept
-    iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept
+    iifname { lan, mgmt } tcp dport 53 counter name dns-rx accept
+    iifname { lan, mgmt } udp dport 53 counter name dns-rx accept
 
     iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
     iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
     iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
+    iifname wifibh meta l4proto gre counter name wifibh-gre-rx accept
 
     iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
 
     iifname mgmt udp dport 123 counter name ntp-rx accept
 
-    iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept
+    iifname { lan, mgmt } udp dport 67 counter name dhcp-rx accept
 
     iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept
     iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
@@ -215,6 +217,7 @@ table inet filter {
     meta protocol ip udp sport 51820 counter name wg-tx
     meta protocol ip6 udp sport 51821 counter name wg-tx
     iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
+    iifname wifibh meta l4proto gre counter name wifibh-gre-tx
 
     meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx
 
@@ -235,6 +238,23 @@ table inet filter {
   }
 }
 
+table bridge filter {
+  counter br-invalid-fw {}
+  counter br-wifibh-fw {}
+  counter br-lan-fw {}
+
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
+
+    iifname "wifibh01.lan" counter name wifibh-fw accept
+    iifname "eno2.lan" counter name lan-fw accept
+  }
+}
+
 table ip nat {
   counter dsl-nat {}
 
-- 
cgit v1.2.3