IPv6 NAT. It Works.
This commit is contained in:
parent
899cc36c8b
commit
8b65f498aa
1 changed files with 28 additions and 53 deletions
|
@ -33,32 +33,6 @@ in
|
|||
systemd.network = {
|
||||
wait-online.anyInterface = true;
|
||||
netdevs = {
|
||||
# Attempted hack for more ipv6 prefixes
|
||||
# I got the prefixes but networkd wasn't smart enough to use them
|
||||
# "00-vrrp-1" = {
|
||||
# netdevConfig = {
|
||||
# Name = "vrrp-1";
|
||||
# Kind = "macvlan";
|
||||
# MACAddress = "00:00:5e:00:01:05";
|
||||
# };
|
||||
# macvlanConfig.Mode = "bridge";
|
||||
# };
|
||||
# "00-vrrp-2" = {
|
||||
# netdevConfig = {
|
||||
# Name = "vrrp-2";
|
||||
# Kind = "macvlan";
|
||||
# MACAddress = "00:00:5e:00:02:05";
|
||||
# };
|
||||
# macvlanConfig.Mode = "bridge";
|
||||
# };
|
||||
# "00-vrrp-3" = {
|
||||
# netdevConfig = {
|
||||
# Name = "vrrp-3";
|
||||
# Kind = "macvlan";
|
||||
# MACAddress = "00:00:5e:00:03:05";
|
||||
# };
|
||||
# macvlanConfig.Mode = "bridge";
|
||||
# };
|
||||
"10-${devices}" = {
|
||||
netdevConfig = {
|
||||
Name = devices;
|
||||
|
@ -81,20 +55,6 @@ in
|
|||
};
|
||||
};
|
||||
networks = {
|
||||
# "05-vrrp" = {
|
||||
# matchConfig.Name = "vrrp-*";
|
||||
# linkConfig.RequiredForOnline = "routable";
|
||||
# networkConfig = {
|
||||
# DHCP = "ipv6";
|
||||
# IPv6AcceptRA = true;
|
||||
# DNSOverTLS = true;
|
||||
# DNSSEC = true;
|
||||
# IPv6PrivacyExtensions = true;
|
||||
# IPForward = true;
|
||||
# LinkLocalAddressing = "ipv6";
|
||||
# };
|
||||
# dhcpV6Config.PrefixDelegationHint = "::/64";
|
||||
# };
|
||||
"06-${wan}" = {
|
||||
matchConfig.Name = wan;
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
|
@ -106,7 +66,6 @@ in
|
|||
IPv6PrivacyExtensions = true;
|
||||
IPForward = true;
|
||||
LinkLocalAddressing = "ipv6";
|
||||
# MACVLAN = [ "vrrp-1" "vrrp-2" "vrrp-3" ];
|
||||
};
|
||||
};
|
||||
"30-${lan}" = {
|
||||
|
@ -123,12 +82,10 @@ in
|
|||
bridgeConfig = { };
|
||||
address = [
|
||||
"192.168.20.1/24"
|
||||
"2001:db8:20::1/64"
|
||||
];
|
||||
networkConfig = {
|
||||
ConfigureWithoutCarrier = true;
|
||||
IPv6SendRA = true;
|
||||
DHCPPrefixDelegation = true;
|
||||
LinkLocalAddressing = "ipv6";
|
||||
};
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
};
|
||||
|
@ -139,6 +96,7 @@ in
|
|||
};
|
||||
address = [
|
||||
"192.168.30.1/24"
|
||||
"2001:db8:30::1/64"
|
||||
];
|
||||
networkConfig = { };
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
|
@ -150,6 +108,7 @@ in
|
|||
};
|
||||
address = [
|
||||
"192.168.40.1/24"
|
||||
"2001:db8:40::1/64"
|
||||
];
|
||||
networkConfig = { };
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
|
@ -185,11 +144,6 @@ in
|
|||
define DRAWPILE_TCP_PORT=27750
|
||||
|
||||
table inet filter {
|
||||
set hosted_services_tcp {
|
||||
type inet_service; flags interval;
|
||||
elements = { 22, $FORGEJO_SSH_PORT, 80, 443, $DRAWPILE_TCP_PORT }
|
||||
}
|
||||
|
||||
set internal_access_tcp {
|
||||
type inet_service; flags interval;
|
||||
elements = { 22, 3128 }
|
||||
|
@ -227,7 +181,9 @@ in
|
|||
}
|
||||
|
||||
chain bridge_in {
|
||||
tcp dport @hosted_services_tcp ct state new accept comment "Allow bridge access to router services"
|
||||
ip daddr $HTTP_HOST tcp dport { 80, 443 } ct state new accept comment "Allow HTTP/S to http host"
|
||||
ip daddr $FORGEJO_HOST tcp dport $FORGEJO_SSH_PORT ct state new accept comment "Allow ssh to forgejo"
|
||||
ip daddr $DRAWPILE_HOST tcp dport $DRAWPILE_TCP_PORT ct state new accept comment "Allow drawpile traffic to drawpile"
|
||||
}
|
||||
chain bridge_out {
|
||||
accept
|
||||
|
@ -320,6 +276,18 @@ in
|
|||
oifname $BRIDGE masquerade
|
||||
}
|
||||
}
|
||||
|
||||
table ip6 nat {
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority -100; policy accept;
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100; policy accept;
|
||||
oifname $WAN masquerade
|
||||
oifname $BRIDGE masquerade
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -337,30 +305,36 @@ in
|
|||
no-resolv = true;
|
||||
|
||||
# dhcpv6 stuff
|
||||
# enable-ra = true;
|
||||
# dhcp-authoritative = true;
|
||||
# strict-order = true;
|
||||
enable-ra = true;
|
||||
dhcp-authoritative = true;
|
||||
strict-order = true;
|
||||
|
||||
cache-size = 1000;
|
||||
|
||||
dhcp-range = [
|
||||
# format TAG,START,END,?MASK,?options,LEASE
|
||||
"${bridge},192.168.20.50,192.168.20.90,24h"
|
||||
"${bridge},2001:db8:20::50,2001:db8:20::ffff:ffff:ffff:ffff,24h"
|
||||
|
||||
"${devices},192.168.30.10,192.168.30.240,24h"
|
||||
"${devices},2001:db8:30::10,2001:db8:30::ffff:ffff:ffff:ffff,24h"
|
||||
|
||||
"${wifi},192.168.40.10,192.168.40.240,24h"
|
||||
"${wifi},2001:db8:40::10,2001:db8:40::ffff:ffff:ffff:ffff,24h"
|
||||
];
|
||||
interface = [ bridge devices wifi ];
|
||||
dhcp-option = [
|
||||
"${bridge},option:router,192.168.20.1"
|
||||
"${bridge},option:dns-server,192.168.20.1"
|
||||
"${bridge},option6:dns-server,2001:db8:20::1"
|
||||
|
||||
"${devices},option:router,192.168.30.1"
|
||||
"${devices},option:dns-server,192.168.30.1"
|
||||
"${devices},option6:dns-server,2001:db8:30::1"
|
||||
|
||||
"${wifi},option:router,192.168.40.1"
|
||||
"${wifi},option:dns-server,192.168.40.1"
|
||||
"${wifi},option6:dns-server,2001:db8:40::1"
|
||||
];
|
||||
|
||||
local = "/lan/";
|
||||
|
@ -370,6 +344,7 @@ in
|
|||
no-hosts = true;
|
||||
address = [
|
||||
"/router.lan/192.168.20.1"
|
||||
"/router.lan/2001:db8:20::1"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue