Networking is a nightmare
This commit is contained in:
parent
55530d8b26
commit
2b34c907b7
1 changed files with 248 additions and 239 deletions
411
nixos/router.nix
411
nixos/router.nix
|
@ -66,11 +66,11 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# services.fail2ban.enable = true;
|
# # services.fail2ban.enable = true;
|
||||||
services.radvd = {
|
# services.radvd = {
|
||||||
enable = false;
|
# enable = false;
|
||||||
# NOTE: this config is just the default arch linux config I think and may
|
# # NOTE: this config is just the default arch linux config I think and may
|
||||||
# need tweaking? this is what I had on the arch linux router, though :shrug:
|
# # need tweaking? this is what I had on the arch linux router, though :shrug:
|
||||||
# config = ''
|
# config = ''
|
||||||
# interface lo
|
# interface lo
|
||||||
# {
|
# {
|
||||||
|
@ -114,81 +114,82 @@ in {
|
||||||
# };
|
# };
|
||||||
# };
|
# };
|
||||||
# '';
|
# '';
|
||||||
};
|
# };
|
||||||
|
|
||||||
# services.resolved = {
|
# services.resolved = {
|
||||||
# enable = true;
|
# enable = false;
|
||||||
# extraConfig = ''
|
# extraConfig = ''
|
||||||
# [Resolve]
|
# [Resolve]
|
||||||
# DNSStubListener=no
|
# DNSStubListener=no
|
||||||
# '';
|
# '';
|
||||||
# };
|
# };
|
||||||
|
|
||||||
services.dnsmasq = {
|
# services.dnsmasq = {
|
||||||
enable = false;
|
# enable = false;
|
||||||
settings = {
|
# settings = {
|
||||||
# server endpoints
|
# # server endpoints
|
||||||
listen-address = "::1,127.0.0.1,${ip}";
|
# listen-address = "::1,127.0.0.1,${ip}";
|
||||||
port = "53";
|
# port = "53";
|
||||||
|
|
||||||
# DNS cache entries
|
# # DNS cache entries
|
||||||
cache-size = "10000";
|
# cache-size = "10000";
|
||||||
|
|
||||||
# local domain entries
|
# # local domain entries
|
||||||
local = "/lan/";
|
# local = "/lan/";
|
||||||
domain = "lan";
|
# domain = "lan";
|
||||||
expand-hosts = true;
|
# expand-hosts = true;
|
||||||
|
|
||||||
dhcp-authoritative = true;
|
# dhcp-authoritative = true;
|
||||||
|
|
||||||
conf-file = "/usr/share/dnsmasq/trust-anchors.conf";
|
# conf-file = "/usr/share/dnsmasq/trust-anchors.conf";
|
||||||
dnssec = true;
|
# dnssec = true;
|
||||||
|
|
||||||
except-interface = "${wan_if}";
|
# except-interface = "${wan_if}";
|
||||||
interface = "${lan_if}";
|
# interface = "${lan_if}";
|
||||||
|
|
||||||
enable-ra = true;
|
# enable-ra = true;
|
||||||
|
|
||||||
# dhcp-option = "121,${cidr},${ip}";
|
# # dhcp-option = "121,${cidr},${ip}";
|
||||||
|
|
||||||
dhcp-range = [
|
# dhcp-range = [
|
||||||
"lan,${dhcp_lease_space.min},${dhcp_lease_space.max},${netmask},10m"
|
# "lan,${dhcp_lease_space.min},${dhcp_lease_space.max},${netmask},10m"
|
||||||
"tag:${lan_if},::1,constructor:${lan_if},ra-names,12h"
|
# "tag:${lan_if},::1,constructor:${lan_if},ra-names,12h"
|
||||||
];
|
# ];
|
||||||
|
|
||||||
dhcp-host = [
|
# dhcp-host = [
|
||||||
"${hosts.dragon.host},${hosts.dragon.ip},12h"
|
# "${hosts.dragon.host},${hosts.dragon.ip},12h"
|
||||||
"${hosts.beefcake.host},${hosts.beefcake.ip},12h"
|
# "${hosts.beefcake.host},${hosts.beefcake.ip},12h"
|
||||||
];
|
# ];
|
||||||
|
|
||||||
# may need to go in /etc/hosts (networking.extraHosts), too?
|
# # may need to go in /etc/hosts (networking.extraHosts), too?
|
||||||
address = [
|
# address = [
|
||||||
"/video.lyte.dev/192.168.0.9"
|
# "/video.lyte.dev/192.168.0.9"
|
||||||
"/git.lyte.dev/192.168.0.9"
|
# "/git.lyte.dev/192.168.0.9"
|
||||||
"/bw.lyte.dev/192.168.0.9"
|
# "/bw.lyte.dev/192.168.0.9"
|
||||||
"/files.lyte.dev/192.168.0.9"
|
# "/files.lyte.dev/192.168.0.9"
|
||||||
"/vpn.h.lyte.dev/192.168.0.9"
|
# "/vpn.h.lyte.dev/192.168.0.9"
|
||||||
"/.h.lyte.dev/192.168.0.9"
|
# "/.h.lyte.dev/192.168.0.9"
|
||||||
];
|
# ];
|
||||||
|
|
||||||
server = [
|
# server = [
|
||||||
"${ip}"
|
# "${ip}"
|
||||||
"8.8.8.8"
|
# "8.8.8.8"
|
||||||
"8.8.4.4"
|
# "8.8.4.4"
|
||||||
"1.1.1.1"
|
# "1.1.1.1"
|
||||||
"1.0.0.1"
|
# "1.0.0.1"
|
||||||
];
|
# ];
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
wpa_supplicant
|
wpa_supplicant
|
||||||
|
inetutils
|
||||||
];
|
];
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "router";
|
hostName = "router";
|
||||||
domain = "h.lyte.dev";
|
domain = "h.lyte.dev";
|
||||||
useDHCP = false;
|
useDHCP = true;
|
||||||
wireless.enable = true;
|
wireless.enable = true;
|
||||||
|
|
||||||
# useDHCP = true;
|
# useDHCP = true;
|
||||||
|
@ -209,146 +210,154 @@ in {
|
||||||
22
|
22
|
||||||
];
|
];
|
||||||
|
|
||||||
nftables = {
|
# nftables = {
|
||||||
enable = false;
|
# enable = false;
|
||||||
flushRuleset = true;
|
# flushRuleset = true;
|
||||||
|
|
||||||
tables = {
|
# tables = {
|
||||||
filter = {
|
# filter = {
|
||||||
family = "inet";
|
# family = "inet";
|
||||||
content = ''
|
# content = ''
|
||||||
chain input {
|
# chain input {
|
||||||
# type filter hook input priority filter; policy accept;
|
# # type filter hook input priority filter; policy accept;
|
||||||
type filter hook input priority 0;
|
# type filter hook input priority 0;
|
||||||
|
|
||||||
# anything from loopback interface
|
# # anything from loopback interface
|
||||||
iifname "lo" accept
|
# iifname "lo" accept
|
||||||
|
|
||||||
# accept traffic we originated
|
# # accept traffic we originated
|
||||||
ct state { established, related } counter accept
|
# ct state { established, related } counter accept
|
||||||
ct state invalid counter drop
|
# ct state invalid counter drop
|
||||||
|
|
||||||
# ICMP
|
# # ICMP
|
||||||
ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept
|
# ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept
|
||||||
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } counter accept
|
# ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } counter accept
|
||||||
ip protocol icmpv6 counter accept
|
# ip protocol icmpv6 counter accept
|
||||||
ip protocol icmp counter accept
|
# ip protocol icmp counter accept
|
||||||
meta l4proto ipv6-icmp counter accept
|
# meta l4proto ipv6-icmp counter accept
|
||||||
|
|
||||||
udp dport dhcpv6-client counter accept
|
# udp dport dhcpv6-client counter accept
|
||||||
|
|
||||||
tcp dport { 64022, 22, 53, 67, 25565 } counter accept
|
# tcp dport { 64022, 22, 53, 67, 25565 } counter accept
|
||||||
udp dport { 64020, 22, 53, 67 } counter accept
|
# udp dport { 64020, 22, 53, 67 } counter accept
|
||||||
|
|
||||||
# iifname "iot" ip saddr $iot-ip tcp dport { llmnr } counter accept
|
# # iifname "iot" ip saddr $iot-ip tcp dport { llmnr } counter accept
|
||||||
# iifname "iot" ip saddr $iot-ip udp dport { mdns, llmnr } counter accept
|
# # iifname "iot" ip saddr $iot-ip udp dport { mdns, llmnr } counter accept
|
||||||
iifname "${lan_if}" tcp dport { llmnr } counter accept
|
# iifname "${lan_if}" tcp dport { llmnr } counter accept
|
||||||
iifname "${lan_if}" udp dport { mdns, llmnr } counter accept
|
# iifname "${lan_if}" udp dport { mdns, llmnr } counter accept
|
||||||
|
|
||||||
counter drop
|
# counter drop
|
||||||
}
|
# }
|
||||||
|
|
||||||
# allow all outgoing
|
# # allow all outgoing
|
||||||
chain output {
|
# chain output {
|
||||||
type filter hook output priority 0;
|
# type filter hook output priority 0;
|
||||||
accept
|
# accept
|
||||||
}
|
# }
|
||||||
|
|
||||||
chain forward {
|
# chain forward {
|
||||||
type filter hook forward priority 0;
|
# type filter hook forward priority 0;
|
||||||
accept
|
# accept
|
||||||
}
|
# }
|
||||||
'';
|
# '';
|
||||||
};
|
# };
|
||||||
|
|
||||||
nat = {
|
# nat = {
|
||||||
family = "ip";
|
# family = "ip";
|
||||||
content = ''
|
# content = ''
|
||||||
set masq_saddr {
|
# set masq_saddr {
|
||||||
type ipv4_addr
|
# type ipv4_addr
|
||||||
flags interval
|
# flags interval
|
||||||
elements = { ${cidr} }
|
# elements = { ${cidr} }
|
||||||
}
|
# }
|
||||||
|
|
||||||
map map_port_ipport {
|
# map map_port_ipport {
|
||||||
type inet_proto . inet_service : ipv4_addr . inet_service
|
# type inet_proto . inet_service : ipv4_addr . inet_service
|
||||||
}
|
# }
|
||||||
|
|
||||||
chain prerouting {
|
# chain prerouting {
|
||||||
iifname ${lan_if} accept
|
# iifname ${lan_if} accept
|
||||||
|
|
||||||
type nat hook prerouting priority dstnat + 1; policy accept;
|
# type nat hook prerouting priority dstnat + 1; policy accept;
|
||||||
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
# fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
||||||
|
|
||||||
iifname ${wan_if} tcp dport { 22, 80, 443, 25565, 64022 } dnat to ${hosts.beefcake.ip}
|
# iifname ${wan_if} tcp dport { 22, 80, 443, 25565, 64022 } dnat to ${hosts.beefcake.ip}
|
||||||
iifname ${wan_if} udp dport { 64020 } dnat to ${hosts.beefcake.ip}
|
# iifname ${wan_if} udp dport { 64020 } dnat to ${hosts.beefcake.ip}
|
||||||
|
|
||||||
# iifname ${wan_if} tcp dport { 25565 } dnat to 192.168.0.244
|
# # iifname ${wan_if} tcp dport { 25565 } dnat to 192.168.0.244
|
||||||
# iifname ${wan_if} udp dport { 25565 } dnat to 192.168.0.244
|
# # iifname ${wan_if} udp dport { 25565 } dnat to 192.168.0.244
|
||||||
|
|
||||||
# router
|
# # router
|
||||||
iifname ${wan_if} tcp dport { 2201 } dnat to ${ip}
|
# iifname ${wan_if} tcp dport { 2201 } dnat to ${ip}
|
||||||
}
|
# }
|
||||||
|
|
||||||
chain output {
|
# chain output {
|
||||||
type nat hook output priority -99; policy accept;
|
# type nat hook output priority -99; policy accept;
|
||||||
ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
# ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
||||||
}
|
# }
|
||||||
|
|
||||||
chain postrouting {
|
# chain postrouting {
|
||||||
type nat hook postrouting priority srcnat + 1; policy accept;
|
# type nat hook postrouting priority srcnat + 1; policy accept;
|
||||||
oifname ${lan_if} masquerade
|
# oifname ${lan_if} masquerade
|
||||||
ip saddr @masq_saddr masquerade
|
# ip saddr @masq_saddr masquerade
|
||||||
}
|
# }
|
||||||
'';
|
# '';
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
|
|
||||||
dhcpcd = {
|
# dhcpcd = {
|
||||||
enable = false;
|
# enable = false;
|
||||||
extraConfig = ''
|
# extraConfig = ''
|
||||||
duid
|
# duid
|
||||||
|
|
||||||
# No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
|
# # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
|
||||||
# issues caused by guests with oneplus devices
|
# # issues caused by guests with oneplus devices
|
||||||
noarp
|
# noarp
|
||||||
|
|
||||||
persistent
|
# persistent
|
||||||
vendorclassid
|
# vendorclassid
|
||||||
|
|
||||||
option domain_name_servers, domain_name, domain_search
|
# option domain_name_servers, domain_name, domain_search
|
||||||
option classless_static_routes
|
# option classless_static_routes
|
||||||
option interface_mtu
|
# option interface_mtu
|
||||||
option host_name
|
# option host_name
|
||||||
#option ntp_servers
|
# #option ntp_servers
|
||||||
|
|
||||||
require dhcp_server_identifier
|
# require dhcp_server_identifier
|
||||||
slaac private
|
# slaac private
|
||||||
noipv4ll
|
# noipv4ll
|
||||||
noipv6rs
|
# noipv6rs
|
||||||
|
|
||||||
static domain_name_servers=${ip}
|
# static domain_name_servers=${ip}
|
||||||
|
|
||||||
interface ${wan_if}
|
# interface ${wan_if}
|
||||||
gateway
|
# gateway
|
||||||
ipv6rs
|
# ipv6rs
|
||||||
iaid 1
|
# iaid 1
|
||||||
# option rapid_commit
|
# # option rapid_commit
|
||||||
# ia_na 1
|
# # ia_na 1
|
||||||
ia_pd 1 ${lan_if}
|
# ia_pd 1 ${lan_if}
|
||||||
|
|
||||||
interface ${lan_if}
|
# interface ${lan_if}
|
||||||
static ip_address=${cidr}
|
# static ip_address=${cidr}
|
||||||
static routers=${ip}
|
# static routers=${ip}
|
||||||
static domain_name_servers=${ip}
|
# static domain_name_servers=${ip}
|
||||||
'';
|
# '';
|
||||||
};
|
# };
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
|
systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
|
||||||
|
|
||||||
services.openssh.listenAddresses = [
|
services.openssh.listenAddresses = [
|
||||||
|
{
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
port = 2201;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
port = 22;
|
||||||
|
}
|
||||||
{
|
{
|
||||||
addr = "[::]";
|
addr = "[::]";
|
||||||
port = 2201;
|
port = 2201;
|
||||||
|
@ -359,47 +368,47 @@ in {
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.network = {
|
# systemd.network = {
|
||||||
enable = false;
|
# enable = false;
|
||||||
networks = {
|
# networks = {
|
||||||
wan = {
|
# wan = {
|
||||||
networkConfig = {
|
# networkConfig = {
|
||||||
DHCP = "yes";
|
# DHCP = "yes";
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
lan = {
|
# lan = {
|
||||||
networkConfig = {
|
# networkConfig = {
|
||||||
DHCP = "yes";
|
# DHCP = "yes";
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
links = {
|
# links = {
|
||||||
"10-${wan_if}" = {
|
# "10-${wan_if}" = {
|
||||||
enable = true;
|
# enable = true;
|
||||||
matchConfig = {
|
# matchConfig = {
|
||||||
MACAddress = "00:01:2e:82:73:59";
|
# MACAddress = "00:01:2e:82:73:59";
|
||||||
};
|
# };
|
||||||
linkConfig = {
|
# linkConfig = {
|
||||||
Name = wan_if;
|
# Name = wan_if;
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
"10-${lan_if}" = {
|
# "10-${lan_if}" = {
|
||||||
enable = true;
|
# enable = true;
|
||||||
matchConfig = {
|
# matchConfig = {
|
||||||
MACAddress = "00:01:2e:82:73:5a";
|
# MACAddress = "00:01:2e:82:73:5a";
|
||||||
};
|
# };
|
||||||
linkConfig = {
|
# linkConfig = {
|
||||||
Name = lan_if;
|
# Name = lan_if;
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
|
|
||||||
services.avahi = {
|
# services.avahi = {
|
||||||
enable = lib.mkForce false;
|
# enable = lib.mkForce false;
|
||||||
reflector = false;
|
# reflector = false;
|
||||||
allowInterfaces = [lan_if];
|
# allowInterfaces = [lan_if];
|
||||||
};
|
# };
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
system.stateVersion = "24.05";
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue