asonix/sbc-deploys
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

router: Try enabling vlans

Browse source
This commit is contained in:
asonix 2024-07-02 17:38:29 -05:00
parent 47aaa70558
commit d1c67b9cad
2 changed files with 69 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
flake.lock
View file

@ -58,11 +58,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1719506693, "lastModified": 1719848872,
"narHash": "sha256-C8e9S7RzshSdHB7L+v9I51af1gDM5unhJ2xO1ywxNH8=", "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b2852eb9365c6de48ffb0dc2c9562591f652242a", "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -187,11 +187,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1719716556, "lastModified": 1719873517,
"narHash": "sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8+awNMyqs=", "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "b5974d4331fb6c893e808977a2e1a6d34b3162d6", "rev": "a11224af8d824935f363928074b4717ca2e280db",
"type": "github" "type": "github"
}, },
"original": { "original": {

70
modules/router/default.nix
View file

@ -6,6 +6,8 @@ let
wan = "end0"; wan = "end0";
lan = "enp1s0"; lan = "enp1s0";
bridge = "br-lan"; bridge = "br-lan";
devices = "devices-vlan";
wifi = "wifi-vlan";
in in
{ {
boot.kernel = { boot.kernel = {
@ -21,6 +23,20 @@ in
systemd.network = { systemd.network = {
wait-online.anyInterface = true; wait-online.anyInterface = true;
netdevs = { netdevs = {
"00-${devices}" = {
netdevConfig = {
Name = devices;
Kind = "vlan";
};
vlanConfig.Id = 30;
};
"00-${wifi}" = {
netdevConfig = {
Name = wifi;
Kind = "vlan";
};
vlanConfig.Id = 40;
};
"20-${bridge}" = { "20-${bridge}" = {
netdevConfig = { netdevConfig = {
Kind = "bridge"; Kind = "bridge";
@ -57,9 +73,28 @@ in
]; ];
networkConfig = { networkConfig = {
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
VLAN = [ devices wifi ];
}; };
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
}; };
"50-${devices}" = {
matchConfig = {
Name = devices;
Type = "vlan";
};
address = [
"192.168.30.1/24"
];
};
"50-${wifi}" = {
matchConfig = {
Name = wifi;
Type = "vlan";
};
address = [
"192.168.40.1/24"
];
};
}; };
}; };
@ -78,6 +113,8 @@ in
define WAN=${wan} define WAN=${wan}
define LAN=${lan} define LAN=${lan}
define BRIDGE=${bridge} define BRIDGE=${bridge}
define DEVICES=${devices}
define WIFI=${wifi}
table inet filter { table inet filter {
@ -87,7 +124,7 @@ in
iifname $BRIDGE accept comment "Allow local network to access the router" iifname $BRIDGE accept comment "Allow local network to access the router"
iifname $WAN ct state { established, related } accept comment "Allow established traffic" iifname $WAN ct state { established, related } accept comment "Allow established traffic"
iifname $WAN icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff" iifname $WAN icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff"
iifname $WAN tcp dport 3128 accept comment "Allow SSH in" iifname { $WAN, $WIFI } tcp dport 3128 accept comment "Allow SSH in"
iifname $WAN counter drop comment "Drop all other traffic from wan" iifname $WAN counter drop comment "Drop all other traffic from wan"
iifname "lo" accept comment "Accept everything from loopback" iifname "lo" accept comment "Accept everything from loopback"
} }
@ -95,9 +132,9 @@ in
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
iifname $BRIDGE oifname $BRIDGE accept comment "Allow forwarding internal traffic" iifname $BRIDGE oifname $BRIDGE accept comment "Allow forwarding internal traffic"
iifname $WAN oifname $BRIDGE tcp dport { 22, 80, 443, 27750 } accept comment "Allow forwarding external traffic to services" iifname { $WAN, $WIFI } oifname $BRIDGE tcp dport { 22, 80, 443, 27750 } accept comment "Allow forwarding external traffic to services"
iifname $BRIDGE oifname $WAN accept comment "Allow trusted LAN to WAN" iifname { $BRIDGE, $DEVICES, $WIFI } oifname $WAN accept comment "Allow trusted LAN to WAN"
iifname $WAN oifname $BRIDGE ct state { established, related } accept comment "Allow established traffic" iifname $WAN oifname { $BRIDGE, $DEVICES, $WIFI } ct state { established, related } accept comment "Allow established traffic"
} }
} }
@ -113,6 +150,7 @@ in
type nat hook postrouting priority 100; policy accept; type nat hook postrouting priority 100; policy accept;
oifname $WAN masquerade oifname $WAN masquerade
iifname $BRIDGE oifname $BRIDGE masquerade iifname $BRIDGE oifname $BRIDGE masquerade
iifname $WIFI oifname $BRIDGE masquerade
} }
} }
''; '';
@ -133,9 +171,27 @@ in
cache-size = 1000; cache-size = 1000;
dhcp-range = [ "br-lan,192.168.20.50,192.168.20.90,24h" ]; dhcp-range = [
interface = "br-lan"; "set:${bridge},192.168.20.50,192.168.20.90,24h"
dhcp-host = "192.168.20.1"; "set:${devices},192.168.30.10,192.168.30.240,24h"
"set:${wifi},192.168.40.10,192.168.40.240,24h"
];
interface = [ bridge devices wifi ];
dhcp-host = [
"192.168.20.1,set:${bridge}"
"192.168.30.1,set:${devices}"
"192.168.40.1,set:${wifi}"
];
dhcp-option = [
"tag:${bridge},option:router,192.168.20.1"
"tag:${bridge},option:dns-server,192.168.20.1"
"tag:${devices},option:router,192.168.30.1"
"tag:${devices},option:dns-server,192.168.30.1"
"tag:${wifi},option:router,192.168.40.1"
"tag:${wifi},option:dns-server,192.168.40.1"
];
local = "/lan/"; local = "/lan/";
domain = "lan"; domain = "lan";