118 lines
3 KiB
Nix
118 lines
3 KiB
Nix
|
{ ... }:
|
||
|
|
||
|
{
|
||
|
boot.kernel = {
|
||
|
sysctl = {
|
||
|
"net.ipv4.conf.all.forwarding" = true;
|
||
|
"net.ipv6.conf.all.forwarding" = false;
|
||
|
"net.ipv4.conf.default.rp_filter" = 1;
|
||
|
"net.ipv4.conf.enp1s0"
|
||
|
};
|
||
|
};
|
||
|
|
||
|
systemd.network = {
|
||
|
wait-online.anyInterface = true;
|
||
|
netdevs = {
|
||
|
"20-br-lan" = {
|
||
|
netDevConfig = {
|
||
|
Kind = "bridge";
|
||
|
Name = "br-lan";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
networks = {
|
||
|
"10-wan" = {
|
||
|
matchConfig.name = "enp*"; # enp1s0
|
||
|
linkConfig.RequiredForOnline = "routable";
|
||
|
networkConfig = {
|
||
|
DHCP = "ipv4";
|
||
|
DNSOverTLS = true;
|
||
|
DNSSEC = true;
|
||
|
IPv6PrivacyExtensions = false;
|
||
|
IPForward = true;
|
||
|
};
|
||
|
};
|
||
|
"30-lan" = {
|
||
|
matchConfig.Name = "end*"; # end0
|
||
|
linkConfig.RequiredForOnline = "enslaved";
|
||
|
networkConfig = {
|
||
|
Bridge = "br-lan";
|
||
|
ConfigureWithoutCarrier = true;
|
||
|
};
|
||
|
};
|
||
|
"40-br-lan" = {
|
||
|
matchConfig.Name = "br-lan";
|
||
|
bridgeConfig = { };
|
||
|
address = [
|
||
|
"192.168.6.1/24"
|
||
|
];
|
||
|
networkConfig = {
|
||
|
ConfigureWithoutCarrier = true;
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
networking = {
|
||
|
hostName = hostname;
|
||
|
useNetworkd = true;
|
||
|
useDHCP = false;
|
||
|
|
||
|
nat.enable = false;
|
||
|
firewall.enable = false;
|
||
|
|
||
|
nftables = {
|
||
|
enable = true;
|
||
|
ruleset = ''
|
||
|
table inet filter {
|
||
|
chain input {
|
||
|
type filter hook input priority 0; policy drop;
|
||
|
|
||
|
iifname { "br-lan" } accept comment "Allow local network to access the router"
|
||
|
iifname "enp1s0" ct state { established, related } accept comment "Allow established traffic"
|
||
|
iifname "enp1s0" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff"
|
||
|
iifname "enp1s0" counter drop comment "Drop all other traffic from wan"
|
||
|
iifname "lo" accept comment "Accept everything from loopback"
|
||
|
}
|
||
|
chain forward {
|
||
|
type filter hook forward priority filter; policy drop;
|
||
|
|
||
|
iifname { "br-lan" } oifname { "enp1s0" } accept comment "Allow trusted LAN to WAN"
|
||
|
iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established traffic"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
table ip nat {
|
||
|
chain postrouting {
|
||
|
type nat hook postrouting priority 100; policy accept;
|
||
|
oifname "enp1s0" masquerade
|
||
|
}
|
||
|
}
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
services.dnsmasq = {
|
||
|
enable = true;
|
||
|
settings = {
|
||
|
server = [ "9.9.9.9" "9.9.9.10" ];
|
||
|
domain-needed = true;
|
||
|
bogus-priv = true;
|
||
|
no-resolv = true;
|
||
|
|
||
|
cache-size = 1000;
|
||
|
|
||
|
dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ];
|
||
|
interface = "br-lan";
|
||
|
dhcp-host = "192.168.20.1";
|
||
|
|
||
|
local = "/lan/";
|
||
|
domain = "lan";
|
||
|
expand-hosts = true;
|
||
|
|
||
|
no-hosts = true;
|
||
|
address = "/router.lan/192.168.20.1";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|