diff --git a/modules/router/default.nix b/modules/router/default.nix index f778837..56d2308 100644 --- a/modules/router/default.nix +++ b/modules/router/default.nix @@ -8,6 +8,7 @@ let bridge = "br-lan"; devices = "devices-vlan"; wifi = "wifi-vlan"; + computer = "comptuer-vlan"; wg0 = "wg0"; in { @@ -27,6 +28,7 @@ in "net.ipv6.conf.${bridge}.accept_ra" = 2; "net.ipv6.conf.${devices}.accept_ra" = 2; "net.ipv6.conf.${wifi}.accept_ra" = 2; + "net.ipv6.conf.${computer}.accept_ra" = 2; "net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.default.rp_filter" = 1; @@ -34,6 +36,7 @@ in "net.ipv4.conf.${bridge}.rp_filter" = 0; "net.ipv4.conf.${devices}.rp_filter" = 0; "net.ipv4.conf.${wifi}.rp_filter" = 0; + "net.ipv4.conf.${computer}.rp_filter" = 0; }; }; @@ -59,6 +62,13 @@ in }; vlanConfig.Id = 40; }; + "10-${computer}" = { + netdevConfig = { + Name = computer; + Kind = "vlan"; + }; + vlanConfig.Id = 50; + }; "20-${bridge}" = { netdevConfig = { Kind = "bridge"; @@ -114,7 +124,7 @@ in networkConfig = { Bridge = bridge; ConfigureWithoutCarrier = true; - VLAN = [ devices wifi ]; + VLAN = [ devices wifi computer ]; }; }; "40-${bridge}" = { @@ -179,6 +189,27 @@ in }; linkConfig.RequiredForOnline = "routable"; }; + "50-${computer}" = { + matchConfig = { + Name = computer; + Type = "vlan"; + }; + address = [ + "192.168.50.1/24" + "2001:db8:50::1/64" + ]; + networkConfig = { + IPv6SendRA = true; + }; + ipv6Prefixes = [{ + Prefix = "2001:db8:50::/64"; + }]; + ipv6SendRAConfig = { + EmitDNS = true; + DNS = "2001:db8:50::1"; + }; + linkConfig.RequiredForOnline = "routable"; + }; "60-${wg0}" = { matchConfig.Name = wg0; address = [ "192.168.5.1/24" "2001:db8:5::1/64" ]; @@ -207,6 +238,7 @@ in define DEVICES=${devices} define WIFI=${wifi} + define COMPUTER=${computer} define WG0=${wg0} define HTTP_HOST=192.168.20.200 @@ -277,6 +309,11 @@ in accept } + chain computer_in {} + chain computer_out { + accept + } + chain wg_in {} chain wg_out { accept @@ -295,6 +332,7 @@ in $BRIDGE : jump bridge_in, $DEVICES : jump devices_in, $WIFI : jump wifi_in, + $COMPUTER : jump computer_in, $WG0 : jump wg_in } @@ -302,6 +340,7 @@ in $BRIDGE : jump bridge_out, $DEVICES : jump devices_out, $WIFI : jump wifi_out, + $COMPUTER : jump computer_out, $WG0 : jump wg_out } @@ -321,6 +360,7 @@ in tcp dport @internal_access_tcp ct state new iifname vmap { $BRIDGE : accept, $WG0 : accept, + $COMPUTER : accept, $DEVICES : jump reject_politely, $WIFI : jump rate_limit, $WAN : jump rate_limit @@ -429,8 +469,11 @@ in "${wifi},192.168.40.10,192.168.40.240,24h" "${wifi},::10,constructor:${wifi},ra-names,64,24h" + + "${computer},192.168.50.10,192.168.50.240,24h" + "${computer},::10,constructor:${computer},ra-names,64,24h" ]; - interface = [ bridge devices wifi wg0 ]; + interface = [ bridge devices wifi computer wg0 ]; dhcp-option = [ "${bridge},option:router,192.168.20.1" "${bridge},option:dns-server,192.168.20.1" @@ -443,6 +486,10 @@ in "${wifi},option:router,192.168.40.1" "${wifi},option:dns-server,192.168.40.1" "${wifi},option6:dns-server,2001:db8:40::1" + + "${computer},option:router,192.168.50.1" + "${computer},option:dns-server,192.168.50.1" + "${computer},option6:dns-server,2001:db8:50::1" ]; local = "/lan/";