IPv6 NAT. It Works.

2024-07-04 12:33:29 -05:00 · 2024-07-04 12:33:29 -05:00 · 8b65f498aa
commit 8b65f498aa
parent 899cc36c8b
1 changed files with 28 additions and 53 deletions
--- a/modules/router/default.nix
+++ b/modules/router/default.nix
@ -33,32 +33,6 @@ in
  systemd.network = {
    wait-online.anyInterface = true;
    netdevs = {
-      # Attempted hack for more ipv6 prefixes
-      # I got the prefixes but networkd wasn't smart enough to use them
-      # "00-vrrp-1" = {
-      #   netdevConfig = {
-      #     Name = "vrrp-1";
-      #     Kind = "macvlan";
-      #     MACAddress = "00:00:5e:00:01:05";
-      #   };
-      #   macvlanConfig.Mode = "bridge";
-      # };
-      # "00-vrrp-2" = {
-      #   netdevConfig = {
-      #     Name = "vrrp-2";
-      #     Kind = "macvlan";
-      #     MACAddress = "00:00:5e:00:02:05";
-      #   };
-      #   macvlanConfig.Mode = "bridge";
-      # };
-      # "00-vrrp-3" = {
-      #   netdevConfig = {
-      #     Name = "vrrp-3";
-      #     Kind = "macvlan";
-      #     MACAddress = "00:00:5e:00:03:05";
-      #   };
-      #   macvlanConfig.Mode = "bridge";
-      # };
      "10-${devices}" = {
        netdevConfig = {
          Name = devices;
@ -81,20 +55,6 @@ in
      };
    };
    networks = {
-      # "05-vrrp" = {
-      #   matchConfig.Name = "vrrp-*";
-      #   linkConfig.RequiredForOnline = "routable";
-      #   networkConfig = {
-      #     DHCP = "ipv6";
-      #     IPv6AcceptRA = true;
-      #     DNSOverTLS = true;
-      #     DNSSEC = true;
-      #     IPv6PrivacyExtensions = true;
-      #     IPForward = true;
-      #     LinkLocalAddressing = "ipv6";
-      #   };
-      #   dhcpV6Config.PrefixDelegationHint = "::/64";
-      # };
      "06-${wan}" = {
        matchConfig.Name = wan;
        linkConfig.RequiredForOnline = "routable";
@ -106,7 +66,6 @@ in
          IPv6PrivacyExtensions = true;
          IPForward = true;
          LinkLocalAddressing = "ipv6";
-          # MACVLAN = [ "vrrp-1" "vrrp-2" "vrrp-3" ];
        };
      };
      "30-${lan}" = {
@ -123,12 +82,10 @@ in
        bridgeConfig = { };
        address = [
          "192.168.20.1/24"
+          "2001:db8:20::1/64"
        ];
        networkConfig = {
          ConfigureWithoutCarrier = true;
-          IPv6SendRA = true;
-          DHCPPrefixDelegation = true;
-          LinkLocalAddressing = "ipv6";
        };
        linkConfig.RequiredForOnline = "no";
      };
@ -139,6 +96,7 @@ in
        };
        address = [
          "192.168.30.1/24"
+          "2001:db8:30::1/64"
        ];
        networkConfig = { };
        linkConfig.RequiredForOnline = "routable";
@ -150,6 +108,7 @@ in
        };
        address = [
          "192.168.40.1/24"
+          "2001:db8:40::1/64"
        ];
        networkConfig = { };
        linkConfig.RequiredForOnline = "routable";
@ -185,11 +144,6 @@ in
        define DRAWPILE_TCP_PORT=27750

        table inet filter {
-          set hosted_services_tcp {
-            type inet_service; flags interval;
-            elements = { 22, $FORGEJO_SSH_PORT, 80, 443, $DRAWPILE_TCP_PORT }
-          }
-
          set internal_access_tcp {
            type inet_service; flags interval;
            elements = { 22, 3128 }
@ -227,7 +181,9 @@ in
          }

          chain bridge_in {
-            tcp dport @hosted_services_tcp ct state new accept comment "Allow bridge access to router services"
+            ip daddr $HTTP_HOST tcp dport { 80, 443 } ct state new accept comment "Allow HTTP/S to http host"
+            ip daddr $FORGEJO_HOST tcp dport $FORGEJO_SSH_PORT ct state new accept comment "Allow ssh to forgejo"
+            ip daddr $DRAWPILE_HOST tcp dport $DRAWPILE_TCP_PORT ct state new accept comment "Allow drawpile traffic to drawpile"
          }
          chain bridge_out {
            accept
@ -320,6 +276,18 @@ in
            oifname $BRIDGE masquerade
          }
        }
+
+        table ip6 nat {
+          chain prerouting {
+            type nat hook prerouting priority -100; policy accept;
+          }
+
+          chain postrouting {
+            type nat hook postrouting priority 100; policy accept;
+            oifname $WAN masquerade
+            oifname $BRIDGE masquerade
+          }
+        }
      '';
    };
  };
@ -337,30 +305,36 @@ in
      no-resolv = true;

      # dhcpv6 stuff
-      # enable-ra = true;
-      # dhcp-authoritative = true;
-      # strict-order = true;
+      enable-ra = true;
+      dhcp-authoritative = true;
+      strict-order = true;

      cache-size = 1000;

      dhcp-range = [
        # format TAG,START,END,?MASK,?options,LEASE
        "${bridge},192.168.20.50,192.168.20.90,24h"
+        "${bridge},2001:db8:20::50,2001:db8:20::ffff:ffff:ffff:ffff,24h"

        "${devices},192.168.30.10,192.168.30.240,24h"
+        "${devices},2001:db8:30::10,2001:db8:30::ffff:ffff:ffff:ffff,24h"

        "${wifi},192.168.40.10,192.168.40.240,24h"
+        "${wifi},2001:db8:40::10,2001:db8:40::ffff:ffff:ffff:ffff,24h"
      ];
      interface = [ bridge devices wifi ];
      dhcp-option = [
        "${bridge},option:router,192.168.20.1"
        "${bridge},option:dns-server,192.168.20.1"
+        "${bridge},option6:dns-server,2001:db8:20::1"

        "${devices},option:router,192.168.30.1"
        "${devices},option:dns-server,192.168.30.1"
+        "${devices},option6:dns-server,2001:db8:30::1"

        "${wifi},option:router,192.168.40.1"
        "${wifi},option:dns-server,192.168.40.1"
+        "${wifi},option6:dns-server,2001:db8:40::1"
      ];

      local = "/lan/";
@ -370,6 +344,7 @@ in
      no-hosts = true;
      address = [
        "/router.lan/192.168.20.1"
+        "/router.lan/2001:db8:20::1"
      ];
    };
  };