simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

shinobu: Move physically

Browse source
This commit is contained in:
Simon Bruder 2023-09-08 12:28:31 +02:00
parent 0bcc5d6141
commit f88669f202
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
1 changed files with 23 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
machines/shinobu/services/router.nix
View file

@ -11,7 +11,9 @@
# #
# It consists of shinobu as a router (this configuration), # It consists of shinobu as a router (this configuration),
# connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch. # connected to a TP-LINK TL-SG105E “smart managed” (i.e., it can do VLANs) 5-port switch.
# The upstream comes from some plasic Huawei router/AP I dont control. # The upstream comes (for now) from a PŸUR “WLAN-Kabelbox” (Compal CH7467CE).
# Sadly, I could not enable bridge mode on it, so the packets now go through (at least) four layers of NAT:
# device → NAT on shinobu (→ NAT on plastic router → PŸUR CGNAT) → NAT on VPN
# #
# Because the switch only supports GbE, # Because the switch only supports GbE,
# the two clients I currently have with support for 2.5GbE are connected # the two clients I currently have with support for 2.5GbE are connected
@ -60,6 +62,7 @@ in
define VUEKO_V4 = 168.119.176.53 define VUEKO_V4 = 168.119.176.53
define VUEKO_V6 = 2a01:4f8:c012:2f4:: define VUEKO_V6 = 2a01:4f8:c012:2f4::
define VUEKO_PORT = 51820 define VUEKO_PORT = 51820
define PLASTIC_ROUTER_V4 = 192.168.0.1
table inet filter { table inet filter {
chain forward { chain forward {
@ -74,6 +77,10 @@ in
iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept; iifname $NAT_LAN_IFACES oifname $NAT_WAN_IFACES counter accept;
iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept; iifname $NAT_WAN_IFACES oifname $NAT_LAN_IFACES ct state established,related counter accept;
# plastic router
iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 counter accept;
iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $PLASTIC_ROUTER_V4 ct state established,related counter accept;
iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 udp dport $VUEKO_PORT counter accept; iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 udp dport $VUEKO_PORT counter accept;
iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $VUEKO_V4 udp sport $VUEKO_PORT ct state established,related counter accept; iifname $PHYSICAL_WAN oifname $NAT_LAN_IFACES ip saddr $VUEKO_V4 udp sport $VUEKO_PORT ct state established,related counter accept;
iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT counter accept; iifname $NAT_LAN_IFACES oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT counter accept;
@ -139,16 +146,18 @@ in
networks = { networks = {
wan = { wan = {
name = "enp1s0"; name = "enp1s0";
networkConfig = {
# Upstream provides no IPv6 :(
# If this is not set, it waits and fails systemd-networkd-wait-online
LinkLocalAddressing = "no";
IPv6AcceptRA = "no";
};
DHCP = "ipv4"; DHCP = "ipv4";
networkConfig = {
IPv6AcceptRA = "yes";
};
dhcpV4Config = { dhcpV4Config = {
UseDNS = "no"; UseDNS = "no";
}; };
ipv6AcceptRAConfig = {
# Only use RA
DHCPv6Client = false;
UseDNS = "no";
};
}; };
lan1 = { lan1 = {
name = "enp2s0"; name = "enp2s0";
@ -203,6 +212,13 @@ in
Priority = 9; Priority = 9;
}; };
} }
# plastic router
{
routingPolicyRuleConfig = {
To = "192.168.0.0/24";
Priority = 9;
};
}
]; ];
routes = [ routes = [
{ {