Updates

.gitignore

@@ -1 +1 @@
-tags
+dnsmasq.leases

dhcpcd.conf

@@ -1,4 +1,8 @@
 duid
+
+# No way.... https://github.com/NetworkConfiguration/dhcpcd/issues/36#issuecomment-954777644
+# issues caused by guests with oneplus devices
+noarp
 persistent
 vendorclassid
 
@@ -12,16 +16,18 @@ require dhcp_server_identifier
 slaac private
 noipv4ll
 noipv6rs
-waitip 6
+
+static domain_name_servers=192.168.0.1
 
 interface wan0
+	gateway
 	ipv6rs
 	iaid 1
-	option rapid_commit
-	ia_na 1
+	# option rapid_commit
+	# ia_na 1
 	ia_pd 1 lan0
 
 interface lan0
-	static ip_address=10.0.0.1/24
-	static routers=10.0.0.1
-	static domain_name_servers=10.0.0.1 8.8.8.8 8.8.4.4
+	static ip_address=192.168.0.1/16
+	static routers=192.168.0.1
+	static domain_name_servers=192.168.0.1

dnsmasq.conf

@@ -1,37 +1,54 @@
+# server endpoints
+listen-address=::1,127.0.0.1,192.168.0.1,0.0.0.0
+port=53
+
+# DNS cache entries
+cache-size=10000
+
+# local domain entries
+local=/lan/
+domain=lan
+expand-hosts
+
+dhcp-authoritative
+
+conf-file=/usr/share/dnsmasq/trust-anchors.conf
+dnssec
+
 except-interface=wan0
-bogus-priv
+interface=lan0
 
 enable-ra
 
-dhcp-range=lan,10.0.0.5,10.0.0.250,255.255.255.0,10m
+# dhcp-option=121,192.168.0.0/16,192.168.0.1
+
+dhcp-range=lan,192.168.0.5,192.168.0.250,255.255.255.0,10m
 dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h
 
-local=/h.lyte.dev/
+dhcp-host=dragon,192.168.0.10,12h
+dhcp-host=beefcake,192.168.0.9,12h
+dhcp-host=bald,192.168.0.153,12h
+dhcp-host=chromebox,192.168.0.5,12h
+dhcp-host=B-C02G56VXML85,192.168.0.128,12h
+dhcp-host=B-W4KNHWJ6XY,192.168.0.217,12h
+dhcp-host=mnemonic,192.168.0.248,ea:1b:7a:fb:8b:b8,12h
+# dhcp-host=frontdoorcam,192.168.0.89,9c:8e:cd:2b:71:e9,120m
 
-dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.10,12h
-dhcp-host=00:50:b6:24:27:0b,faceless,10.0.0.25,12h
-dhcp-host=d0:50:99:26:89:86,ourcraft,10.0.0.244,2m
+address=/video.lyte.dev/192.168.0.9
+address=/git.lyte.dev/192.168.0.9
+address=/bw.lyte.dev/192.168.0.9
+address=/files.lyte.dev/192.168.0.9
+address=/vpn.h.lyte.dev/192.168.0.9
+address=/.h.lyte.dev/192.168.0.9
 
-address=/dragon.h.lyte.dev/10.0.0.10
-address=/git.lyte.dev/10.0.0.25
-address=/h.lyte.dev/10.0.0.25
-address=/a.lyte.dev/10.0.0.25
-address=/.h.lyte.dev/10.0.0.25
-address=/#.h.lyte.dev/10.0.0.25
-address=/bw.lyte.dev/10.0.0.25
-address=/files.lyte.dev/10.0.0.25
-address=/grafana.lyte.dev/10.0.0.25
-address=/ourcraft.lyte.dev/10.0.0.244
+dhcp-host=AMC058BA_A75F1E,192.168.0.150,12h
+dhcp-host=AMC0587F_A2969A,192.168.0.151,12h
 
+server=192.168.0.1
 server=8.8.8.8
 server=8.8.4.4
+server=1.1.1.1
+server=1.0.0.1
 
-expand-hosts
 
-port=53
 
-interface=lan0
-
-domain=h.lyte.dev
-
-dhcp-authoritative

dnsmasq.leases

@@ -1 +0,0 @@
-/var/lib/misc/dnsmasq.leases

etc-hosts

@@ -0,0 +1,20 @@
+# Static table lookup for hostnames.
+# See hosts(5) for details.
+
+127.0.0.1 localhost
+192.168.0.1 router.h.lyte.dev router
+
+::1 localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+
+192.168.0.9 git.lyte.dev
+192.168.0.9 video.lyte.dev
+192.168.0.9 files.lyte.dev
+192.168.0.9 bw.lyte.dev
+192.168.0.9 vpn.h.lyte.dev
+192.168.0.9 nix.h.lyte.dev
+192.168.0.9 a.lyte.dev
+192.168.0.9 api.lyte.dev
+192.168.0.9 ourcraft.lyte.dev
+192.168.0.9 jland.lyte.dev

firewall-edit.bash

@@ -8,7 +8,7 @@ t="/tmp/nftables.conf"
 # we don't care about existing rules - just use ours, thanks
 # sudo nft -s list ruleset >> "$f"
 
-sudo -E nvim "$my_config"
+sudo -E $EDITOR "$my_config"
 cat "$my_config"
 echo "Do you want to load this config? [y/N]"
 read -r l

link.fish

@@ -1,31 +0,0 @@
-#!/usr/bin/env fish
-
-if test (id -u) -ne 0
-	echo "must run as root" 
-	exit 1
-end
-
-function relink
-	rm -f $argv[2]
-	ezln $argv[1] $argv[2]
-end
-
-function recopy
-	rm -f $argv[2]
-	cp $argv[1] $argv[2]
-end
-
-recopy dnsmasq.conf /etc/dnsmasq.conf
-recopy resolved.conf /etc/systemd/resolved.conf
-recopy ./sysctl-configs /etc/sysctl.d/10-router-configs.conf
-
-# enable systemd-networkd to setup network interfaces with useful names
-recopy lan0.link /etc/systemd/network/10-lan0.link
-recopy wan0.link /etc/systemd/network/10-wan0.link
-
-# enable systemd-networkd set the proper sysctl flags
-# recopy wan0.network /etc/systemd/network/wan0.network
-# recopy lan0.network /etc/systemd/network/lan0.network
-
-# dhcp client configuration
-recopy dhcpcd.conf /etc/dhcpcd.conf

makefile

@@ -0,0 +1,96 @@
+# TODO: some kind of automatic (without confirmation) rollback setup?
+
+.PHONY: default
+default: copy-configuration-files restart-services
+
+.PHONY: setup
+setup: system-dependencies /root/router.wg-pub enable-and-start-services mkinitcpio
+
+.PHONY: firewall-edit
+firewall-edit:
+	./firewall-edit.bash
+
+.PHONY: mkinitcpio
+mkinitcpio:
+	mkinitcpio -p linux
+	
+.PHONY: system-dependencies
+system-dependencies:
+	echo "Updating system..."
+	pacman -Sy --needed archlinux-keyring # get latest keys
+	pacman -Syu # update everything
+	pacman -S --needed dnsmasq nftables fail2ban radvd git dhcpcd wireguard-tools tailscale # install anything needed
+	echo "Done updating system!"
+	echo "The system has updated. This usually means the kernel updated, so tailscale needs you to reboot."
+
+.PHONY: restart-services
+restart-services:
+	echo "Restarting services..."
+	systemctl restart nftables
+	systemctl restart systemd-sysctl
+	systemctl restart systemd-networkd
+	systemctl restart dnsmasq
+	# systemctl restart systemd-resolved # this seems to conflict with dnsmasq - not sure we need it?
+	systemctl restart dhcpcd@lan0
+	systemctl restart dhcpcd@wan0
+	systemctl restart radvd
+	# ksystemctl restart tailscaled # is this necessary since no config lies in this repo?
+	echo "Services restarted!"
+
+.PHONY: enable-and-start-services
+enable-and-start-services:
+	echo "Enabling and starting services..."
+	systemctl enable --now nftables
+	systemctl enable --now systemd-sysctl
+	systemctl enable --now systemd-networkd
+	systemctl enable --now dnsmasq
+	# systemctl enable --now systemd-resolved # this seems to conflict with dnsmasq - not sure we need it?
+	systemctl enable --now dhcpcd@lan0
+	systemctl enable --now dhcpcd@wan0
+	systemctl enable --now radvd
+	# systemctl enable --now tailscaled # is this necessary since no config lies in this repo?
+	echo "Services enabled and restarted!"
+
+.PHONY: copy-configuration-files
+copy-configuration-files: /etc/dnsmasq.conf /etc/systemd/resolved.conf /etc/sysctl.d/10-router-configs.conf /etc/systemd/network/10-lan0.link /etc/systemd/network/10-wan0.link /etc/dhcpcd.conf /etc/hosts
+
+/root/router.wg-key:
+	umask 0077 && wg genkey > $@
+
+/root/router.wg-pub: /root/router.wg-key
+	umask 0077 && cat $^ wg genkey > $@
+	
+/etc/dnsmasq.conf: dnsmasq.conf
+	rm -f $@
+	cp $^ $@
+	
+/etc/systemd/resolved.conf: resolved.conf 
+	rm -f $@
+	cp $^ $@
+
+/etc/sysctl.d/10-router-configs.conf: sysctl-configs
+	rm -f $@
+	cp $^ $@
+
+/etc/systemd/network/10-lan0.link: lan0.link
+	rm -f $@
+	cp $^ $@
+
+/etc/systemd/network/10-wan0.link: wan0.link 
+	rm -f $@
+	cp $^ $@
+
+/etc/dhcpcd.conf: dhcpcd.conf 
+	rm -f $@
+	cp $^ $@
+
+/etc/hosts: ./etc-hosts 
+	rm -f $@ /tmp/etc-hosts
+	printf "%s\n" "# DO NOT EDIT DIRECTLY - See router config for details" >> /tmp/etc-hosts
+	cat $^ >> /tmp/etc-hosts
+	printf "\n\n%s\n" "# DO NOT EDIT DIRECTLY - See router config for details" >> /tmp/etc-hosts
+	cp /tmp/etc-hosts $@
+
+/etc/nftables.conf: nftables.conf
+	rm -f $@
+	cp $^ $@

nftables.conf

@@ -1,5 +1,6 @@
 define WAN = wan0
 define LAN = lan0
+define VPN = wg-vpn
 
 table inet filter {
 	chain input {
@@ -7,12 +8,15 @@ table inet filter {
 		iifname "lo" accept
 		ct state invalid drop
 		ct state { established, related } accept
+		icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
 		ip protocol icmpv6 accept
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
-		tcp dport { 22 } accept comment "allow ssh to router"
-		udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp"
-		udp dport { 60000-60009 } accept comment "allow mosh common ports"
+		tcp dport { 4022, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 26968, 26965, 34197, 27015, 27036 } accept
+		udp dport { 9876, 9877, 4020, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 26968, 26965, 34197 } accept
+		udp dport 27000-27100 accept
+		udp dport { 60000-60009 } accept
+		udp dport dhcpv6-client accept
 		drop
 	}
 
@@ -28,38 +32,10 @@ table inet filter {
 }
 
 table ip nat {
-	chain postrouting {
-		type nat hook postrouting priority 100; policy accept;
-		oifname $LAN masquerade
-	}
-
-	chain prerouting {
-		type nat hook prerouting priority -100; policy accept;
-
-		# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25
-
-		# faceless
-		# allow HTTP, HTTPS, gitea's SSH, and host ssh to faceless
-		iifname $WAN tcp dport { 443, 80, 2222, 2200 } dnat to 10.0.0.25 
-		# allow mosh
-		iifname $WAN udp dport 60010-60019 dnat to 10.0.0.25
-
-		# allow host ssh
-		iifname $WAN tcp dport { 2221 } dnat to 10.0.0.10
-		# allow mosh
-		iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
-
-		# ourcraft
-		iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244
-	}
-}
-
-# nat ipv4 for lan
-table ip io.systemd.nat {
 	set masq_saddr {
 		type ipv4_addr
 		flags interval
-		elements = { 10.0.0.0/24 }
+		elements = { 192.168.0.0/16 }
 	}
 
 	map map_port_ipport {
@@ -67,8 +43,37 @@ table ip io.systemd.nat {
 	}
 
 	chain prerouting {
+		iifname $LAN accept
 		type nat hook prerouting priority dstnat + 1; policy accept;
 		fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
+
+		# beefcake (ben access)
+		iifname $WAN tcp dport { 64022 } dnat to 192.168.0.9
+		iifname $WAN udp dport { 64020 } dnat to 192.168.0.9
+
+		# beefcake services
+		iifname $WAN tcp dport { 443, 80, 22 } dnat to 192.168.0.9
+
+		# mnemonic
+		iifname $WAN tcp dport { 8022 } dnat to 192.168.0.248
+
+		# ourcraft
+		iifname $WAN tcp dport { 2456, 2457, 25565, 34197 } dnat to 192.168.0.153
+		iifname $WAN udp dport { 2456, 2457, 25565, 34197 } dnat to 192.168.0.153
+
+		# jland and dawncraft
+		iifname $WAN tcp dport { 26968, 26965 } dnat to 192.168.0.9
+		iifname $WAN udp dport { 26968, 26965 } dnat to 192.168.0.9
+
+		# v rising
+		iifname $WAN tcp dport { 27015, 27036 } dnat to 192.168.0.9
+		iifname $WAN udp dport 9876-9877 dnat to 192.168.0.9
+		iifname $WAN udp dport { 9876, 9877 } dnat to 192.168.0.9
+		iifname $WAN udp dport 27000-27100 dnat to 192.168.0.9
+
+		# router
+		iifname $WAN tcp dport { 2201 } dnat to 192.168.0.1
+		iifname $WAN udp dport { 2201 } dnat to 192.168.0.1
 	}
 
 	chain output {
@@ -78,33 +83,22 @@ table ip io.systemd.nat {
 
 	chain postrouting {
 		type nat hook postrouting priority srcnat + 1; policy accept;
+		oifname $LAN masquerade
 		ip saddr @masq_saddr masquerade
 	}
 }
 
-# nat ipv6 for lan
-table ip6 io.systemd.nat {
-	set masq_saddr {
-		type ipv6_addr
-		flags interval
-	}
-
-	map map_port_ipport {
-		type inet_proto . inet_service : ipv6_addr . inet_service
-	}
-
-	chain prerouting {
-		type nat hook prerouting priority dstnat + 1; policy accept;
-		fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport
-	}
-
-	chain output {
-		type nat hook output priority -99; policy accept;
-		ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport
-	}
-
-	chain postrouting {
-		type nat hook postrouting priority srcnat + 1; policy accept;
-		ip6 saddr @masq_saddr masquerade
-	}
-}
+# table ip filter {
+# 	chain output {
+# 		type filter hook output priority 100; policy accept;
+# 	}
+# 
+# 	chain input {
+# 		type filter hook input priority 0; policy accept;
+# 	}
+# 
+# 	chain forward {
+# 		type filter hook forward priority 0; policy accept;
+# 	}
+# }
+#

readme.md

@@ -1,18 +1,40 @@
 # Router
 
-Yeah yeah I need to document this better.
+My little dual-NIC Arch Linux router configuration and scripts.
 
 # Setup
 
-With a fresh Arch Linux system:
+```bash
+make setup
+# setup tailscale if you like
+reboot
+```
 
-- Install base packages as from dotfiles
-- Run `./link.fish` script
-- Enable and restart the following services:
-	- `systemd-resolved`
-	- `dnsmasq`
-	- `nftables`
-	- `systemd-networkd`
-	- `dhcpcd`
-- Run `mkinitcpio -p linux`
-- Reboot
+# Update Configuration Files
+
+Copies the various services' configuration files from this repo into place and
+restarts those services.
+
+```bash
+make
+```
+
+# System Updates
+
+Should be done regularly for security reasons.
+
+```bash
+make setup
+# configure tailscale as needed
+reboot
+```
+
+# Quick Firewall Tweak
+
+```bash
+./firewall-edit.bash
+```
+
+# TODO:
+
+- NixOS/declarative?

sysctl-configs

@@ -1,4 +1,3 @@
 net.ipv4.ip_forward=1
-
 net.ipv6.conf.all.forwarding=1
-net.ipv6.conf.wan0.accept_ra=2
+net.ipv6.conf.wan0.accept_ra=2