shinobu: Move physically

2023-09-08 12:28:31 +02:00 · 2023-09-08 12:28:31 +02:00 · f88669f202
parent 0bcc5d6141
commit f88669f202
1 changed files with 23 additions and 7 deletions
--- a/machines/shinobu/services/router.nix
+++ b/machines/shinobu/services/router.nix
@ -11,7 +11,9 @@
 #
 # It consists of shinobu as a router (this configuration),
 # connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
-# The upstream comes from some plasic Huawei router/AP I don’t control.
+# The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE).
+# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) four layers of NAT:
+# device → NAT on shinobu (→ NAT on plastic router → PŸUR CGNAT) → NAT on VPN
 #
 # Because the switch only supports GbE,
 # the two clients I currently have with support for 2.5GbE are connected
@ -60,6 +62,7 @@ in
        define VUEKO_V4 = 168.119.176.53
        define VUEKO_V6 = 2a01:4f8:c012:2f4::
        define VUEKO_PORT = 51820
+        define PLASTIC_ROUTER_V4 = 192.168.0.1

        table inet filter {
          chain forward {
@ -74,6 +77,10 @@ in
            iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
            iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;

+            # plastic router
+            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept;
+            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $PLASTIC_ROUTER_V4 ct state established,related counter accept;
+
            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 udp dport $VUEKO_PORT counter accept;
            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $VUEKO_V4 udp sport $VUEKO_PORT ct state established,related counter accept;
            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT counter accept;
@ -139,16 +146,18 @@ in
    networks = {
      wan = {
        name = "enp1s0";
-        networkConfig = {
-          # Upstream provides no IPv6 :(
-          # If this is not set, it waits and fails systemd-networkd-wait-online
-          LinkLocalAddressing = "no";
-          IPv6AcceptRA = "no";
-        };
        DHCP = "ipv4";
+        networkConfig = {
+          IPv6AcceptRA = "yes";
+        };
        dhcpV4Config = {
          UseDNS = "no";
        };
+        ipv6AcceptRAConfig = {
+          # Only use RA
+          DHCPv6Client = false;
+          UseDNS = "no";
+        };
      };
      lan1 = {
        name = "enp2s0";
@ -203,6 +212,13 @@ in
              Priority = 9;
            };
          }
+          # plastic router
+          {
+            routingPolicyRuleConfig = {
+              To = "192.168.0.0/24";
+              Priority = 9;
+            };
+          }
        ];
        routes = [
          {