router: Make vlans work

modules/router/default.nix

@@ -1,6 +1,6 @@
 { hostName }:
 
-{ ... }:
+{ pkgs, ... }:
 
 let
   wan = "end0";
@@ -20,6 +20,10 @@ in
     };
   };
 
+  environment.systemPackages = with pkgs; [
+    arp-scan
+  ];
+
   systemd.network = {
     wait-online.anyInterface = true;
     netdevs = {
@@ -63,6 +67,7 @@ in
         networkConfig = {
           Bridge = bridge;
           ConfigureWithoutCarrier = true;
+          VLAN = [ devices wifi ];
         };
       };
       "40-${bridge}" = {
@@ -73,7 +78,6 @@ in
         ];
         networkConfig = {
           ConfigureWithoutCarrier = true;
-          VLAN = [ devices wifi ];
         };
         linkConfig.RequiredForOnline = "no";
       };
@@ -122,7 +126,8 @@ in
           type filter hook input priority 0; policy drop;
 
           iifname $BRIDGE accept comment "Allow local network to access the router"
-          iifname $WAN ct state { established, related } accept comment "Allow established traffic"
+          iifname { $DEVICES, $WIFI } udp dport { 53, 67, 68 } accept comment "DHCP & DNS for vlans"
+          iifname { $WAN, $DEVICES, $WIFI } ct state { established, related } accept comment "Allow established traffic"
           iifname $WAN icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff"
           iifname { $WAN, $WIFI } tcp dport 3128 accept comment "Allow SSH in"
           iifname $WAN counter drop comment "Drop all other traffic from wan"
@@ -133,6 +138,8 @@ in
 
           iifname $BRIDGE oifname $BRIDGE accept comment "Allow forwarding internal traffic"
           iifname { $WAN, $WIFI } oifname $BRIDGE tcp dport { 22, 80, 443, 27750 } accept comment "Allow forwarding external traffic to services"
+          iifname $BRIDGE oifname $WIFI ct state { established, related } accept comment "Allow established traffic"
+          iifname $WIFI oifname $BRIDGE ct state { established, related } accept comment "Allow established traffic"
           iifname { $BRIDGE, $DEVICES, $WIFI } oifname $WAN accept comment "Allow trusted LAN to WAN"
           iifname $WAN oifname { $BRIDGE, $DEVICES, $WIFI } ct state { established, related } accept comment "Allow established traffic"
         }
@@ -172,25 +179,26 @@ in
       cache-size = 1000;
 
       dhcp-range = [
-        "set:${bridge},192.168.20.50,192.168.20.90,24h"
+        # format TAG,START,END,MASK,LEASE
-        "set:${devices},192.168.30.10,192.168.30.240,24h"
+        "${bridge},192.168.20.50,192.168.20.90,255.255.255.0,24h"
-        "set:${wifi},192.168.40.10,192.168.40.240,24h"
+        "${devices},192.168.30.10,192.168.30.240,255.255.255.0,24h"
+        "${wifi},192.168.40.10,192.168.40.240,255.255.255.0,24h"
       ];
       interface = [ bridge devices wifi ];
-      dhcp-host = [
+      # dhcp-host = [
-        "192.168.20.1,set:${bridge}"
+      #   "192.168.20.1,set:${bridge}"
-        "192.168.30.1,set:${devices}"
+      #   "192.168.30.1,set:${devices}"
-        "192.168.40.1,set:${wifi}"
+      #   "192.168.40.1,set:${wifi}"
-      ];
+      # ];
       dhcp-option = [
-        "tag:${bridge},option:router,192.168.20.1"
+        "${bridge},option:router,192.168.20.1"
-        "tag:${bridge},option:dns-server,192.168.20.1"
+        "${bridge},option:dns-server,192.168.20.1"
 
-        "tag:${devices},option:router,192.168.30.1"
+        "${devices},option:router,192.168.30.1"
-        "tag:${devices},option:dns-server,192.168.30.1"
+        "${devices},option:dns-server,192.168.30.1"
 
-        "tag:${wifi},option:router,192.168.40.1"
+        "${wifi},option:router,192.168.40.1"
-        "tag:${wifi},option:dns-server,192.168.40.1"
+        "${wifi},option:dns-server,192.168.40.1"
       ];
 
       local = "/lan/";