asonix/sbc-deploys
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

IPv6 NAT. It Works.

Browse source
This commit is contained in:
asonix 2024-07-04 12:33:29 -05:00
parent 899cc36c8b
commit 8b65f498aa
1 changed files with 28 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
modules/router/default.nix
View file

@ -33,32 +33,6 @@ in
systemd.network = { systemd.network = {
wait-online.anyInterface = true; wait-online.anyInterface = true;
netdevs = { netdevs = {
# Attempted hack for more ipv6 prefixes
# I got the prefixes but networkd wasn't smart enough to use them
# "00-vrrp-1" = {
# netdevConfig = {
# Name = "vrrp-1";
# Kind = "macvlan";
# MACAddress = "00:00:5e:00:01:05";
# };
# macvlanConfig.Mode = "bridge";
# };
# "00-vrrp-2" = {
# netdevConfig = {
# Name = "vrrp-2";
# Kind = "macvlan";
# MACAddress = "00:00:5e:00:02:05";
# };
# macvlanConfig.Mode = "bridge";
# };
# "00-vrrp-3" = {
# netdevConfig = {
# Name = "vrrp-3";
# Kind = "macvlan";
# MACAddress = "00:00:5e:00:03:05";
# };
# macvlanConfig.Mode = "bridge";
# };
"10-${devices}" = { "10-${devices}" = {
netdevConfig = { netdevConfig = {
Name = devices; Name = devices;
@ -81,20 +55,6 @@ in
}; };
}; };
networks = { networks = {
# "05-vrrp" = {
# matchConfig.Name = "vrrp-*";
# linkConfig.RequiredForOnline = "routable";
# networkConfig = {
# DHCP = "ipv6";
# IPv6AcceptRA = true;
# DNSOverTLS = true;
# DNSSEC = true;
# IPv6PrivacyExtensions = true;
# IPForward = true;
# LinkLocalAddressing = "ipv6";
# };
# dhcpV6Config.PrefixDelegationHint = "::/64";
# };
"06-${wan}" = { "06-${wan}" = {
matchConfig.Name = wan; matchConfig.Name = wan;
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
@ -106,7 +66,6 @@ in
IPv6PrivacyExtensions = true; IPv6PrivacyExtensions = true;
IPForward = true; IPForward = true;
LinkLocalAddressing = "ipv6"; LinkLocalAddressing = "ipv6";
# MACVLAN = [ "vrrp-1" "vrrp-2" "vrrp-3" ];
}; };
}; };
"30-${lan}" = { "30-${lan}" = {
@ -123,12 +82,10 @@ in
bridgeConfig = { }; bridgeConfig = { };
address = [ address = [
"192.168.20.1/24" "192.168.20.1/24"
"2001:db8:20::1/64"
]; ];
networkConfig = { networkConfig = {
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
IPv6SendRA = true;
DHCPPrefixDelegation = true;
LinkLocalAddressing = "ipv6";
}; };
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
}; };
@ -139,6 +96,7 @@ in
}; };
address = [ address = [
"192.168.30.1/24" "192.168.30.1/24"
"2001:db8:30::1/64"
]; ];
networkConfig = { }; networkConfig = { };
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
@ -150,6 +108,7 @@ in
}; };
address = [ address = [
"192.168.40.1/24" "192.168.40.1/24"
"2001:db8:40::1/64"
]; ];
networkConfig = { }; networkConfig = { };
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
@ -185,11 +144,6 @@ in
define DRAWPILE_TCP_PORT=27750 define DRAWPILE_TCP_PORT=27750
table inet filter { table inet filter {
set hosted_services_tcp {
type inet_service; flags interval;
elements = { 22, $FORGEJO_SSH_PORT, 80, 443, $DRAWPILE_TCP_PORT }
}
set internal_access_tcp { set internal_access_tcp {
type inet_service; flags interval; type inet_service; flags interval;
elements = { 22, 3128 } elements = { 22, 3128 }
@ -227,7 +181,9 @@ in
} }
chain bridge_in { chain bridge_in {
tcp dport @hosted_services_tcp ct state new accept comment "Allow bridge access to router services" ip daddr $HTTP_HOST tcp dport { 80, 443 } ct state new accept comment "Allow HTTP/S to http host"
ip daddr $FORGEJO_HOST tcp dport $FORGEJO_SSH_PORT ct state new accept comment "Allow ssh to forgejo"
ip daddr $DRAWPILE_HOST tcp dport $DRAWPILE_TCP_PORT ct state new accept comment "Allow drawpile traffic to drawpile"
} }
chain bridge_out { chain bridge_out {
accept accept
@ -320,6 +276,18 @@ in
oifname $BRIDGE masquerade oifname $BRIDGE masquerade
} }
} }
table ip6 nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname $WAN masquerade
oifname $BRIDGE masquerade
}
}
''; '';
}; };
}; };
@ -337,30 +305,36 @@ in
no-resolv = true; no-resolv = true;
# dhcpv6 stuff # dhcpv6 stuff
# enable-ra = true; enable-ra = true;
# dhcp-authoritative = true; dhcp-authoritative = true;
# strict-order = true; strict-order = true;
cache-size = 1000; cache-size = 1000;
dhcp-range = [ dhcp-range = [
# format TAG,START,END,?MASK,?options,LEASE # format TAG,START,END,?MASK,?options,LEASE
"${bridge},192.168.20.50,192.168.20.90,24h" "${bridge},192.168.20.50,192.168.20.90,24h"
"${bridge},2001:db8:20::50,2001:db8:20::ffff:ffff:ffff:ffff,24h"
"${devices},192.168.30.10,192.168.30.240,24h" "${devices},192.168.30.10,192.168.30.240,24h"
"${devices},2001:db8:30::10,2001:db8:30::ffff:ffff:ffff:ffff,24h"
"${wifi},192.168.40.10,192.168.40.240,24h" "${wifi},192.168.40.10,192.168.40.240,24h"
"${wifi},2001:db8:40::10,2001:db8:40::ffff:ffff:ffff:ffff,24h"
]; ];
interface = [ bridge devices wifi ]; interface = [ bridge devices wifi ];
dhcp-option = [ dhcp-option = [
"${bridge},option:router,192.168.20.1" "${bridge},option:router,192.168.20.1"
"${bridge},option:dns-server,192.168.20.1" "${bridge},option:dns-server,192.168.20.1"
"${bridge},option6:dns-server,2001:db8:20::1"
"${devices},option:router,192.168.30.1" "${devices},option:router,192.168.30.1"
"${devices},option:dns-server,192.168.30.1" "${devices},option:dns-server,192.168.30.1"
"${devices},option6:dns-server,2001:db8:30::1"
"${wifi},option:router,192.168.40.1" "${wifi},option:router,192.168.40.1"
"${wifi},option:dns-server,192.168.40.1" "${wifi},option:dns-server,192.168.40.1"
"${wifi},option6:dns-server,2001:db8:40::1"
]; ];
local = "/lan/"; local = "/lan/";
@ -370,6 +344,7 @@ in
no-hosts = true; no-hosts = true;
address = [ address = [
"/router.lan/192.168.20.1" "/router.lan/192.168.20.1"
"/router.lan/2001:db8:20::1"
]; ];
}; };
}; };