Networking is a nightmare

This commit is contained in:
Daniel Flanagan 2024-07-16 16:57:45 -05:00
parent 55530d8b26
commit 2b34c907b7

View file

@ -66,11 +66,11 @@ in {
}; };
}; };
# services.fail2ban.enable = true; # # services.fail2ban.enable = true;
services.radvd = { # services.radvd = {
enable = false; # enable = false;
# NOTE: this config is just the default arch linux config I think and may # # NOTE: this config is just the default arch linux config I think and may
# need tweaking? this is what I had on the arch linux router, though :shrug: # # need tweaking? this is what I had on the arch linux router, though :shrug:
# config = '' # config = ''
# interface lo # interface lo
# { # {
@ -114,81 +114,82 @@ in {
# }; # };
# }; # };
# ''; # '';
}; # };
# services.resolved = { # services.resolved = {
# enable = true; # enable = false;
# extraConfig = '' # extraConfig = ''
# [Resolve] # [Resolve]
# DNSStubListener=no # DNSStubListener=no
# ''; # '';
# }; # };
services.dnsmasq = { # services.dnsmasq = {
enable = false; # enable = false;
settings = { # settings = {
# server endpoints # # server endpoints
listen-address = "::1,127.0.0.1,${ip}"; # listen-address = "::1,127.0.0.1,${ip}";
port = "53"; # port = "53";
# DNS cache entries # # DNS cache entries
cache-size = "10000"; # cache-size = "10000";
# local domain entries # # local domain entries
local = "/lan/"; # local = "/lan/";
domain = "lan"; # domain = "lan";
expand-hosts = true; # expand-hosts = true;
dhcp-authoritative = true; # dhcp-authoritative = true;
conf-file = "/usr/share/dnsmasq/trust-anchors.conf"; # conf-file = "/usr/share/dnsmasq/trust-anchors.conf";
dnssec = true; # dnssec = true;
except-interface = "${wan_if}"; # except-interface = "${wan_if}";
interface = "${lan_if}"; # interface = "${lan_if}";
enable-ra = true; # enable-ra = true;
# dhcp-option = "121,${cidr},${ip}"; # # dhcp-option = "121,${cidr},${ip}";
dhcp-range = [ # dhcp-range = [
"lan,${dhcp_lease_space.min},${dhcp_lease_space.max},${netmask},10m" # "lan,${dhcp_lease_space.min},${dhcp_lease_space.max},${netmask},10m"
"tag:${lan_if},::1,constructor:${lan_if},ra-names,12h" # "tag:${lan_if},::1,constructor:${lan_if},ra-names,12h"
]; # ];
dhcp-host = [ # dhcp-host = [
"${hosts.dragon.host},${hosts.dragon.ip},12h" # "${hosts.dragon.host},${hosts.dragon.ip},12h"
"${hosts.beefcake.host},${hosts.beefcake.ip},12h" # "${hosts.beefcake.host},${hosts.beefcake.ip},12h"
]; # ];
# may need to go in /etc/hosts (networking.extraHosts), too? # # may need to go in /etc/hosts (networking.extraHosts), too?
address = [ # address = [
"/video.lyte.dev/192.168.0.9" # "/video.lyte.dev/192.168.0.9"
"/git.lyte.dev/192.168.0.9" # "/git.lyte.dev/192.168.0.9"
"/bw.lyte.dev/192.168.0.9" # "/bw.lyte.dev/192.168.0.9"
"/files.lyte.dev/192.168.0.9" # "/files.lyte.dev/192.168.0.9"
"/vpn.h.lyte.dev/192.168.0.9" # "/vpn.h.lyte.dev/192.168.0.9"
"/.h.lyte.dev/192.168.0.9" # "/.h.lyte.dev/192.168.0.9"
]; # ];
server = [ # server = [
"${ip}" # "${ip}"
"8.8.8.8" # "8.8.8.8"
"8.8.4.4" # "8.8.4.4"
"1.1.1.1" # "1.1.1.1"
"1.0.0.1" # "1.0.0.1"
]; # ];
}; # };
}; # };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wpa_supplicant wpa_supplicant
inetutils
]; ];
networking = { networking = {
hostName = "router"; hostName = "router";
domain = "h.lyte.dev"; domain = "h.lyte.dev";
useDHCP = false; useDHCP = true;
wireless.enable = true; wireless.enable = true;
# useDHCP = true; # useDHCP = true;
@ -209,146 +210,154 @@ in {
22 22
]; ];
nftables = { # nftables = {
enable = false; # enable = false;
flushRuleset = true; # flushRuleset = true;
tables = { # tables = {
filter = { # filter = {
family = "inet"; # family = "inet";
content = '' # content = ''
chain input { # chain input {
# type filter hook input priority filter; policy accept; # # type filter hook input priority filter; policy accept;
type filter hook input priority 0; # type filter hook input priority 0;
# anything from loopback interface # # anything from loopback interface
iifname "lo" accept # iifname "lo" accept
# accept traffic we originated # # accept traffic we originated
ct state { established, related } counter accept # ct state { established, related } counter accept
ct state invalid counter drop # ct state invalid counter drop
# ICMP # # ICMP
ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept # ip6 nexthdr icmpv6 icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-solicit, nd-router-advert, mld-listener-query, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } counter accept # ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } counter accept
ip protocol icmpv6 counter accept # ip protocol icmpv6 counter accept
ip protocol icmp counter accept # ip protocol icmp counter accept
meta l4proto ipv6-icmp counter accept # meta l4proto ipv6-icmp counter accept
udp dport dhcpv6-client counter accept # udp dport dhcpv6-client counter accept
tcp dport { 64022, 22, 53, 67, 25565 } counter accept # tcp dport { 64022, 22, 53, 67, 25565 } counter accept
udp dport { 64020, 22, 53, 67 } counter accept # udp dport { 64020, 22, 53, 67 } counter accept
# iifname "iot" ip saddr $iot-ip tcp dport { llmnr } counter accept # # iifname "iot" ip saddr $iot-ip tcp dport { llmnr } counter accept
# iifname "iot" ip saddr $iot-ip udp dport { mdns, llmnr } counter accept # # iifname "iot" ip saddr $iot-ip udp dport { mdns, llmnr } counter accept
iifname "${lan_if}" tcp dport { llmnr } counter accept # iifname "${lan_if}" tcp dport { llmnr } counter accept
iifname "${lan_if}" udp dport { mdns, llmnr } counter accept # iifname "${lan_if}" udp dport { mdns, llmnr } counter accept
counter drop # counter drop
} # }
# allow all outgoing # # allow all outgoing
chain output { # chain output {
type filter hook output priority 0; # type filter hook output priority 0;
accept # accept
} # }
chain forward { # chain forward {
type filter hook forward priority 0; # type filter hook forward priority 0;
accept # accept
} # }
''; # '';
}; # };
nat = { # nat = {
family = "ip"; # family = "ip";
content = '' # content = ''
set masq_saddr { # set masq_saddr {
type ipv4_addr # type ipv4_addr
flags interval # flags interval
elements = { ${cidr} } # elements = { ${cidr} }
} # }
map map_port_ipport { # map map_port_ipport {
type inet_proto . inet_service : ipv4_addr . inet_service # type inet_proto . inet_service : ipv4_addr . inet_service
} # }
chain prerouting { # chain prerouting {
iifname ${lan_if} accept # iifname ${lan_if} accept
type nat hook prerouting priority dstnat + 1; policy accept; # type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport # fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
iifname ${wan_if} tcp dport { 22, 80, 443, 25565, 64022 } dnat to ${hosts.beefcake.ip} # iifname ${wan_if} tcp dport { 22, 80, 443, 25565, 64022 } dnat to ${hosts.beefcake.ip}
iifname ${wan_if} udp dport { 64020 } dnat to ${hosts.beefcake.ip} # iifname ${wan_if} udp dport { 64020 } dnat to ${hosts.beefcake.ip}
# iifname ${wan_if} tcp dport { 25565 } dnat to 192.168.0.244 # # iifname ${wan_if} tcp dport { 25565 } dnat to 192.168.0.244
# iifname ${wan_if} udp dport { 25565 } dnat to 192.168.0.244 # # iifname ${wan_if} udp dport { 25565 } dnat to 192.168.0.244
# router # # router
iifname ${wan_if} tcp dport { 2201 } dnat to ${ip} # iifname ${wan_if} tcp dport { 2201 } dnat to ${ip}
} # }
chain output { # chain output {
type nat hook output priority -99; policy accept; # type nat hook output priority -99; policy accept;
ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport # ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
} # }
chain postrouting { # chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept; # type nat hook postrouting priority srcnat + 1; policy accept;
oifname ${lan_if} masquerade # oifname ${lan_if} masquerade
ip saddr @masq_saddr masquerade # ip saddr @masq_saddr masquerade
} # }
''; # '';
}; # };
}; # };
}; # };
dhcpcd = { # dhcpcd = {
enable = false; # enable = false;
extraConfig = '' # extraConfig = ''
duid # duid
# No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644 # # No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
# issues caused by guests with oneplus devices # # issues caused by guests with oneplus devices
noarp # noarp
persistent # persistent
vendorclassid # vendorclassid
option domain_name_servers, domain_name, domain_search # option domain_name_servers, domain_name, domain_search
option classless_static_routes # option classless_static_routes
option interface_mtu # option interface_mtu
option host_name # option host_name
#option ntp_servers # #option ntp_servers
require dhcp_server_identifier # require dhcp_server_identifier
slaac private # slaac private
noipv4ll # noipv4ll
noipv6rs # noipv6rs
static domain_name_servers=${ip} # static domain_name_servers=${ip}
interface ${wan_if} # interface ${wan_if}
gateway # gateway
ipv6rs # ipv6rs
iaid 1 # iaid 1
# option rapid_commit # # option rapid_commit
# ia_na 1 # # ia_na 1
ia_pd 1 ${lan_if} # ia_pd 1 ${lan_if}
interface ${lan_if} # interface ${lan_if}
static ip_address=${cidr} # static ip_address=${cidr}
static routers=${ip} # static routers=${ip}
static domain_name_servers=${ip} # static domain_name_servers=${ip}
''; # '';
}; # };
}; };
systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false;
services.openssh.listenAddresses = [ services.openssh.listenAddresses = [
{
addr = "0.0.0.0";
port = 2201;
}
{
addr = "0.0.0.0";
port = 22;
}
{ {
addr = "[::]"; addr = "[::]";
port = 2201; port = 2201;
@ -359,47 +368,47 @@ in {
} }
]; ];
systemd.network = { # systemd.network = {
enable = false; # enable = false;
networks = { # networks = {
wan = { # wan = {
networkConfig = { # networkConfig = {
DHCP = "yes"; # DHCP = "yes";
}; # };
}; # };
lan = { # lan = {
networkConfig = { # networkConfig = {
DHCP = "yes"; # DHCP = "yes";
}; # };
}; # };
}; # };
links = { # links = {
"10-${wan_if}" = { # "10-${wan_if}" = {
enable = true; # enable = true;
matchConfig = { # matchConfig = {
MACAddress = "00:01:2e:82:73:59"; # MACAddress = "00:01:2e:82:73:59";
}; # };
linkConfig = { # linkConfig = {
Name = wan_if; # Name = wan_if;
}; # };
}; # };
"10-${lan_if}" = { # "10-${lan_if}" = {
enable = true; # enable = true;
matchConfig = { # matchConfig = {
MACAddress = "00:01:2e:82:73:5a"; # MACAddress = "00:01:2e:82:73:5a";
}; # };
linkConfig = { # linkConfig = {
Name = lan_if; # Name = lan_if;
}; # };
}; # };
}; # };
}; # };
services.avahi = { # services.avahi = {
enable = lib.mkForce false; # enable = lib.mkForce false;
reflector = false; # reflector = false;
allowInterfaces = [lan_if]; # allowInterfaces = [lan_if];
}; # };
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }