From f88669f202ca72ab5c4eb54bf66c3b467d86d9c6 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Fri, 8 Sep 2023 12:28:31 +0200
Subject: [PATCH] shinobu: Move physically

---
 machines/shinobu/services/router.nix | 30 +++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/machines/shinobu/services/router.nix b/machines/shinobu/services/router.nix
index 01dfcd7..12bea05 100644
--- a/machines/shinobu/services/router.nix
+++ b/machines/shinobu/services/router.nix
@@ -11,7 +11,9 @@
 #
 # It consists of shinobu as a router (this configuration),
 # connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
-# The upstream comes from some plasic Huawei router/AP I don’t control.
+# The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE).
+# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) four layers of NAT:
+# device → NAT on shinobu (→ NAT on plastic router → PŸUR CGNAT) → NAT on VPN
 #
 # Because the switch only supports GbE,
 # the two clients I currently have with support for 2.5GbE are connected
@@ -60,6 +62,7 @@ in
         define VUEKO_V4 = 168.119.176.53
         define VUEKO_V6 = 2a01:4f8:c012:2f4::
         define VUEKO_PORT = 51820
+        define PLASTIC_ROUTER_V4 = 192.168.0.1
 
         table inet filter {
           chain forward {
@@ -74,6 +77,10 @@ in
             iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
             iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
 
+            # plastic router
+            iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept;
+            iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $PLASTIC_ROUTER_V4 ct state established,related counter accept;
+
             iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 udp dport $VUEKO_PORT counter accept;
             iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $VUEKO_V4 udp sport $VUEKO_PORT ct state established,related counter accept;
             iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT counter accept;
@@ -139,16 +146,18 @@ in
     networks = {
       wan = {
         name = "enp1s0";
-        networkConfig = {
-          # Upstream provides no IPv6 :(
-          # If this is not set, it waits and fails systemd-networkd-wait-online
-          LinkLocalAddressing = "no";
-          IPv6AcceptRA = "no";
-        };
         DHCP = "ipv4";
+        networkConfig = {
+          IPv6AcceptRA = "yes";
+        };
         dhcpV4Config = {
           UseDNS = "no";
         };
+        ipv6AcceptRAConfig = {
+          # Only use RA
+          DHCPv6Client = false;
+          UseDNS = "no";
+        };
       };
       lan1 = {
         name = "enp2s0";
@@ -203,6 +212,13 @@ in
               Priority = 9;
             };
           }
+          # plastic router
+          {
+            routingPolicyRuleConfig = {
+              To = "192.168.0.0/24";
+              Priority = 9;
+            };
+          }
         ];
         routes = [
           {