From 8b65f498aae33066be7c36c805514726884ba2fb Mon Sep 17 00:00:00 2001
From: asonix <asonix@asonix.dog>
Date: Thu, 4 Jul 2024 12:33:29 -0500
Subject: [PATCH] IPv6 NAT. It Works.

---
 modules/router/default.nix | 81 +++++++++++++-------------------------
 1 file changed, 28 insertions(+), 53 deletions(-)

diff --git a/modules/router/default.nix b/modules/router/default.nix
index cbcd846..9fe4302 100644
--- a/modules/router/default.nix
+++ b/modules/router/default.nix
@@ -33,32 +33,6 @@ in
   systemd.network = {
     wait-online.anyInterface = true;
     netdevs = {
-      # Attempted hack for more ipv6 prefixes
-      # I got the prefixes but networkd wasn't smart enough to use them
-      # "00-vrrp-1" = {
-      #   netdevConfig = {
-      #     Name = "vrrp-1";
-      #     Kind = "macvlan";
-      #     MACAddress = "00:00:5e:00:01:05";
-      #   };
-      #   macvlanConfig.Mode = "bridge";
-      # };
-      # "00-vrrp-2" = {
-      #   netdevConfig = {
-      #     Name = "vrrp-2";
-      #     Kind = "macvlan";
-      #     MACAddress = "00:00:5e:00:02:05";
-      #   };
-      #   macvlanConfig.Mode = "bridge";
-      # };
-      # "00-vrrp-3" = {
-      #   netdevConfig = {
-      #     Name = "vrrp-3";
-      #     Kind = "macvlan";
-      #     MACAddress = "00:00:5e:00:03:05";
-      #   };
-      #   macvlanConfig.Mode = "bridge";
-      # };
       "10-${devices}" = {
         netdevConfig = {
           Name = devices;
@@ -81,20 +55,6 @@ in
       };
     };
     networks = {
-      # "05-vrrp" = {
-      #   matchConfig.Name = "vrrp-*";
-      #   linkConfig.RequiredForOnline = "routable";
-      #   networkConfig = {
-      #     DHCP = "ipv6";
-      #     IPv6AcceptRA = true;
-      #     DNSOverTLS = true;
-      #     DNSSEC = true;
-      #     IPv6PrivacyExtensions = true;
-      #     IPForward = true;
-      #     LinkLocalAddressing = "ipv6";
-      #   };
-      #   dhcpV6Config.PrefixDelegationHint = "::/64";
-      # };
       "06-${wan}" = {
         matchConfig.Name = wan;
         linkConfig.RequiredForOnline = "routable";
@@ -106,7 +66,6 @@ in
           IPv6PrivacyExtensions = true;
           IPForward = true;
           LinkLocalAddressing = "ipv6";
-          # MACVLAN = [ "vrrp-1" "vrrp-2" "vrrp-3" ];
         };
       };
       "30-${lan}" = {
@@ -123,12 +82,10 @@ in
         bridgeConfig = { };
         address = [
           "192.168.20.1/24"
+          "2001:db8:20::1/64"
         ];
         networkConfig = {
           ConfigureWithoutCarrier = true;
-          IPv6SendRA = true;
-          DHCPPrefixDelegation = true;
-          LinkLocalAddressing = "ipv6";
         };
         linkConfig.RequiredForOnline = "no";
       };
@@ -139,6 +96,7 @@ in
         };
         address = [
           "192.168.30.1/24"
+          "2001:db8:30::1/64"
         ];
         networkConfig = { };
         linkConfig.RequiredForOnline = "routable";
@@ -150,6 +108,7 @@ in
         };
         address = [
           "192.168.40.1/24"
+          "2001:db8:40::1/64"
         ];
         networkConfig = { };
         linkConfig.RequiredForOnline = "routable";
@@ -185,11 +144,6 @@ in
         define DRAWPILE_TCP_PORT=27750
 
         table inet filter {
-          set hosted_services_tcp {
-            type inet_service; flags interval;
-            elements = { 22, $FORGEJO_SSH_PORT, 80, 443, $DRAWPILE_TCP_PORT }
-          }
-
           set internal_access_tcp {
             type inet_service; flags interval;
             elements = { 22, 3128 }
@@ -227,7 +181,9 @@ in
           }
 
           chain bridge_in {
-            tcp dport @hosted_services_tcp ct state new accept comment "Allow bridge access to router services"
+            ip daddr $HTTP_HOST tcp dport { 80, 443 } ct state new accept comment "Allow HTTP/S to http host"
+            ip daddr $FORGEJO_HOST tcp dport $FORGEJO_SSH_PORT ct state new accept comment "Allow ssh to forgejo"
+            ip daddr $DRAWPILE_HOST tcp dport $DRAWPILE_TCP_PORT ct state new accept comment "Allow drawpile traffic to drawpile"
           }
           chain bridge_out {
             accept
@@ -320,6 +276,18 @@ in
             oifname $BRIDGE masquerade
           }
         }
+
+        table ip6 nat {
+          chain prerouting {
+            type nat hook prerouting priority -100; policy accept;
+          }
+
+          chain postrouting {
+            type nat hook postrouting priority 100; policy accept;
+            oifname $WAN masquerade
+            oifname $BRIDGE masquerade
+          }
+        }
       '';
     };
   };
@@ -337,30 +305,36 @@ in
       no-resolv = true;
 
       # dhcpv6 stuff
-      # enable-ra = true;
-      # dhcp-authoritative = true;
-      # strict-order = true;
+      enable-ra = true;
+      dhcp-authoritative = true;
+      strict-order = true;
 
       cache-size = 1000;
 
       dhcp-range = [
         # format TAG,START,END,?MASK,?options,LEASE
         "${bridge},192.168.20.50,192.168.20.90,24h"
+        "${bridge},2001:db8:20::50,2001:db8:20::ffff:ffff:ffff:ffff,24h"
 
         "${devices},192.168.30.10,192.168.30.240,24h"
+        "${devices},2001:db8:30::10,2001:db8:30::ffff:ffff:ffff:ffff,24h"
 
         "${wifi},192.168.40.10,192.168.40.240,24h"
+        "${wifi},2001:db8:40::10,2001:db8:40::ffff:ffff:ffff:ffff,24h"
       ];
       interface = [ bridge devices wifi ];
       dhcp-option = [
         "${bridge},option:router,192.168.20.1"
         "${bridge},option:dns-server,192.168.20.1"
+        "${bridge},option6:dns-server,2001:db8:20::1"
 
         "${devices},option:router,192.168.30.1"
         "${devices},option:dns-server,192.168.30.1"
+        "${devices},option6:dns-server,2001:db8:30::1"
 
         "${wifi},option:router,192.168.40.1"
         "${wifi},option:dns-server,192.168.40.1"
+        "${wifi},option6:dns-server,2001:db8:40::1"
       ];
 
       local = "/lan/";
@@ -370,6 +344,7 @@ in
       no-hosts = true;
       address = [
         "/router.lan/192.168.20.1"
+        "/router.lan/2001:db8:20::1"
       ];
     };
   };