router: Make vlans work
This commit is contained in:
parent
d1c67b9cad
commit
e33047f273
1 changed files with 25 additions and 17 deletions
|
@ -1,6 +1,6 @@
|
|||
{ hostName }:
|
||||
|
||||
{ ... }:
|
||||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
wan = "end0";
|
||||
|
@ -20,6 +20,10 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
arp-scan
|
||||
];
|
||||
|
||||
systemd.network = {
|
||||
wait-online.anyInterface = true;
|
||||
netdevs = {
|
||||
|
@ -63,6 +67,7 @@ in
|
|||
networkConfig = {
|
||||
Bridge = bridge;
|
||||
ConfigureWithoutCarrier = true;
|
||||
VLAN = [ devices wifi ];
|
||||
};
|
||||
};
|
||||
"40-${bridge}" = {
|
||||
|
@ -73,7 +78,6 @@ in
|
|||
];
|
||||
networkConfig = {
|
||||
ConfigureWithoutCarrier = true;
|
||||
VLAN = [ devices wifi ];
|
||||
};
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
};
|
||||
|
@ -122,7 +126,8 @@ in
|
|||
type filter hook input priority 0; policy drop;
|
||||
|
||||
iifname $BRIDGE accept comment "Allow local network to access the router"
|
||||
iifname $WAN ct state { established, related } accept comment "Allow established traffic"
|
||||
iifname { $DEVICES, $WIFI } udp dport { 53, 67, 68 } accept comment "DHCP & DNS for vlans"
|
||||
iifname { $WAN, $DEVICES, $WIFI } ct state { established, related } accept comment "Allow established traffic"
|
||||
iifname $WAN icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "icmp stuff"
|
||||
iifname { $WAN, $WIFI } tcp dport 3128 accept comment "Allow SSH in"
|
||||
iifname $WAN counter drop comment "Drop all other traffic from wan"
|
||||
|
@ -133,6 +138,8 @@ in
|
|||
|
||||
iifname $BRIDGE oifname $BRIDGE accept comment "Allow forwarding internal traffic"
|
||||
iifname { $WAN, $WIFI } oifname $BRIDGE tcp dport { 22, 80, 443, 27750 } accept comment "Allow forwarding external traffic to services"
|
||||
iifname $BRIDGE oifname $WIFI ct state { established, related } accept comment "Allow established traffic"
|
||||
iifname $WIFI oifname $BRIDGE ct state { established, related } accept comment "Allow established traffic"
|
||||
iifname { $BRIDGE, $DEVICES, $WIFI } oifname $WAN accept comment "Allow trusted LAN to WAN"
|
||||
iifname $WAN oifname { $BRIDGE, $DEVICES, $WIFI } ct state { established, related } accept comment "Allow established traffic"
|
||||
}
|
||||
|
@ -172,25 +179,26 @@ in
|
|||
cache-size = 1000;
|
||||
|
||||
dhcp-range = [
|
||||
"set:${bridge},192.168.20.50,192.168.20.90,24h"
|
||||
"set:${devices},192.168.30.10,192.168.30.240,24h"
|
||||
"set:${wifi},192.168.40.10,192.168.40.240,24h"
|
||||
# format TAG,START,END,MASK,LEASE
|
||||
"${bridge},192.168.20.50,192.168.20.90,255.255.255.0,24h"
|
||||
"${devices},192.168.30.10,192.168.30.240,255.255.255.0,24h"
|
||||
"${wifi},192.168.40.10,192.168.40.240,255.255.255.0,24h"
|
||||
];
|
||||
interface = [ bridge devices wifi ];
|
||||
dhcp-host = [
|
||||
"192.168.20.1,set:${bridge}"
|
||||
"192.168.30.1,set:${devices}"
|
||||
"192.168.40.1,set:${wifi}"
|
||||
];
|
||||
# dhcp-host = [
|
||||
# "192.168.20.1,set:${bridge}"
|
||||
# "192.168.30.1,set:${devices}"
|
||||
# "192.168.40.1,set:${wifi}"
|
||||
# ];
|
||||
dhcp-option = [
|
||||
"tag:${bridge},option:router,192.168.20.1"
|
||||
"tag:${bridge},option:dns-server,192.168.20.1"
|
||||
"${bridge},option:router,192.168.20.1"
|
||||
"${bridge},option:dns-server,192.168.20.1"
|
||||
|
||||
"tag:${devices},option:router,192.168.30.1"
|
||||
"tag:${devices},option:dns-server,192.168.30.1"
|
||||
"${devices},option:router,192.168.30.1"
|
||||
"${devices},option:dns-server,192.168.30.1"
|
||||
|
||||
"tag:${wifi},option:router,192.168.40.1"
|
||||
"tag:${wifi},option:dns-server,192.168.40.1"
|
||||
"${wifi},option:router,192.168.40.1"
|
||||
"${wifi},option:dns-server,192.168.40.1"
|
||||
];
|
||||
|
||||
local = "/lan/";
|
||||
|
|
Loading…
Reference in a new issue