diff --git a/hosts/router.home.ts.hillion.co.uk/default.nix b/hosts/router.home.ts.hillion.co.uk/default.nix index 5479e3d..d5ec6f9 100644 --- a/hosts/router.home.ts.hillion.co.uk/default.nix +++ b/hosts/router.home.ts.hillion.co.uk/default.nix @@ -32,6 +32,14 @@ nat.enable = lib.mkForce false; useDHCP = false; + + vlans = { + cameras = { + id = 3; + interface = "eth1"; + }; + }; + interfaces = { enp1s0 = { name = "eth0"; @@ -47,6 +55,14 @@ } ]; }; + cameras /* cameras@eth1 */ = { + ipv4.addresses = [ + { + address = "10.133.145.1"; + prefixLength = 24; + } + ]; + }; enp3s0 = { name = "eth2"; ipv4.addresses = [ @@ -67,6 +83,9 @@ table inet filter { chain output { type filter hook output priority 100; policy accept; + + iifname "cameras@eth1" ct state established,related counter accept comment "Allow established connections to cameras" + iifname "cameras@eth1" counter drop } chain input { @@ -82,8 +101,8 @@ ip protocol icmp counter accept comment "accept all ICMP types" - iifname "eth0" ct state { established, related } counter accept - iifname "eth0" drop + iifname { "eth0", "cameras@eth1" } ct state { established, related } counter accept + iifname { "eth0", "cameras@eth1" } drop } chain forward { @@ -243,6 +262,29 @@ } ]; } + { + subnet = "10.133.145.0/24"; + interface = "cameras@eth1"; + pools = [{ + pool = "10.133.145.64 - 10.133.145.254"; + }]; + option-data = [ + { + name = "routers"; + data = "10.133.145.1"; + } + { + name = "broadcast-address"; + data = "10.133.145.255"; + } + { + name = "domain-name-servers"; + data = "1.1.1.1, 8.8.8.8"; + } + ]; + reservations = [ + ]; + } ]; }; };