Be more specific with internal postrouting, add extra dns resolvers

2024-07-09 18:20:53 -05:00 · 2024-07-09 18:20:53 -05:00 · b5a418308e
commit b5a418308e
parent 4cc1bf3945
1 changed files with 23 additions and 6 deletions
--- a/modules/router/default.nix
+++ b/modules/router/default.nix
@ -356,7 +356,9 @@ in
          chain postrouting {
            type nat hook postrouting priority 100; policy accept;
            oifname $WAN masquerade
-            iifname { $WAN, $BRIDGE, $DEVICES, $WIFI } oifname $BRIDGE masquerade
+            iifname $BRIDGE oifname $BRIDGE ip daddr $HTTP_HOST tcp dport { 80, 443 } masquerade
            iifname $BRIDGE oifname $BRIDGE ip daddr $FORGEJO_HOST tcp dport $FORGEJO_SSH_PORT masquerade
            iifname $BRIDGE oifname $BRIDGE ip daddr $DRAWPILE_HOST tcp dport $DRAWPILE_TCP_PORT masquerade
          }
        }
@ -371,7 +373,9 @@ in
          chain postrouting {
            type nat hook postrouting priority 100; policy accept;
            oifname $WAN masquerade
-            iifname { $WAN, $BRIDGE, $DEVICES, $WIFI } oifname $BRIDGE masquerade
+            iifname $BRIDGE oifname $BRIDGE ip6 daddr $HTTP_HOST_V6 tcp dport { 80, 443 } masquerade
            iifname $BRIDGE oifname $BRIDGE ip6 daddr $FORGEJO_HOST_V6 tcp dport $FORGEJO_SSH_PORT masquerade
            iifname $BRIDGE oifname $BRIDGE ip6 daddr $DRAWPILE_HOST_V6 tcp dport $DRAWPILE_TCP_PORT masquerade
          }
        }
      '';
@ -386,10 +390,23 @@ in
    enable = true;
    settings = {
      server = [
-        "9.9.9.9"
+        # OpenDNS
-        "9.9.9.10"
+        "208.67.222.222"
-        "2620:fe::fe"
+        "208.67.220.220"
-        "2620:fe::9"
+        "2620:119:53::35"
        "2620:119:53::53"
        # Quad9
        "9.9.9.11"
        "149.112.112.11"
        "2620:fe::11"
        "2620:fe::fe:11"
        # Cloudflare
        "1.1.1.1"
        "1.0.0.1"
        "2606:4700:4700::1111"
        "2606:4700:4700::1001"
      ];
      domain-needed = true;
      bogus-priv = true;