From e33047f2732a48ee2049ab92b53e0f3c730f7524 Mon Sep 17 00:00:00 2001 From: asonix Date: Tue, 2 Jul 2024 19:12:41 -0500 Subject: [PATCH] router: Make vlans work --- modules/router/default.nix | 42 +++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/modules/router/default.nix b/modules/router/default.nix index 4718115..ef53739 100644 --- a/modules/router/default.nix +++ b/modules/router/default.nix @@ -1,6 +1,6 @@ { hostName }: -{ ... }: +{ pkgs, ... }: let wan = "end0"; @@ -20,6 +20,10 @@ in }; }; + environment.systemPackages = with pkgs; [ + arp-scan + ]; + systemd.network = { wait-online.anyInterface = true; netdevs = { @@ -63,6 +67,7 @@ in networkConfig = { Bridge = bridge; ConfigureWithoutCarrier = true; + VLAN = [ devices wifi ]; }; }; "40-${bridge}" = { @@ -73,7 +78,6 @@ in ]; networkConfig = { ConfigureWithoutCarrier = true; - VLAN = [ devices wifi ]; }; linkConfig.RequiredForOnline = "no"; }; @@ -122,7 +126,8 @@ in type filter hook input priority 0; policy drop; iifname $BRIDGE accept comment "Allow local network to access the router" - iifname $WAN ct state { established, related } accept comment "Allow established traffic" + iifname { $DEVICES, $WIFI } udp dport { 53, 67, 68 } accept comment "DHCP & DNS for vlans" + iifname { $WAN, $DEVICES, $WIFI } ct state { established, related } accept comment "Allow established traffic" iifname $WAN icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff" iifname { $WAN, $WIFI } tcp dport 3128 accept comment "Allow SSH in" iifname $WAN counter drop comment "Drop all other traffic from wan" @@ -133,6 +138,8 @@ in iifname $BRIDGE oifname $BRIDGE accept comment "Allow forwarding internal traffic" iifname { $WAN, $WIFI } oifname $BRIDGE tcp dport { 22, 80, 443, 27750 } accept comment "Allow forwarding external traffic to services" + iifname $BRIDGE oifname $WIFI ct state { established, related } accept comment "Allow established traffic" + iifname $WIFI oifname $BRIDGE ct state { established, related } accept comment "Allow established traffic" iifname { $BRIDGE, $DEVICES, $WIFI } oifname $WAN accept comment "Allow trusted LAN to WAN" iifname $WAN oifname { $BRIDGE, $DEVICES, $WIFI } ct state { established, related } accept comment "Allow established traffic" } @@ -172,25 +179,26 @@ in cache-size = 1000; dhcp-range = [ - "set:${bridge},192.168.20.50,192.168.20.90,24h" - "set:${devices},192.168.30.10,192.168.30.240,24h" - "set:${wifi},192.168.40.10,192.168.40.240,24h" + # format TAG,START,END,MASK,LEASE + "${bridge},192.168.20.50,192.168.20.90,255.255.255.0,24h" + "${devices},192.168.30.10,192.168.30.240,255.255.255.0,24h" + "${wifi},192.168.40.10,192.168.40.240,255.255.255.0,24h" ]; interface = [ bridge devices wifi ]; - dhcp-host = [ - "192.168.20.1,set:${bridge}" - "192.168.30.1,set:${devices}" - "192.168.40.1,set:${wifi}" - ]; + # dhcp-host = [ + # "192.168.20.1,set:${bridge}" + # "192.168.30.1,set:${devices}" + # "192.168.40.1,set:${wifi}" + # ]; dhcp-option = [ - "tag:${bridge},option:router,192.168.20.1" - "tag:${bridge},option:dns-server,192.168.20.1" + "${bridge},option:router,192.168.20.1" + "${bridge},option:dns-server,192.168.20.1" - "tag:${devices},option:router,192.168.30.1" - "tag:${devices},option:dns-server,192.168.30.1" + "${devices},option:router,192.168.30.1" + "${devices},option:dns-server,192.168.30.1" - "tag:${wifi},option:router,192.168.40.1" - "tag:${wifi},option:dns-server,192.168.40.1" + "${wifi},option:router,192.168.40.1" + "${wifi},option:dns-server,192.168.40.1" ]; local = "/lan/";