router: route
This commit is contained in:
parent
ffb670ac12
commit
c69b37f0fd
@ -16,6 +16,130 @@
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = true;
|
||||
};
|
||||
|
||||
## Networking
|
||||
networking = {
|
||||
firewall.enable = lib.mkForce false;
|
||||
nat.enable = lib.mkForce false;
|
||||
|
||||
useDHCP = false;
|
||||
interfaces = {
|
||||
enp1s0 = {
|
||||
name = "eth0";
|
||||
macAddress = "b4:fb:e4:b0:90:3c";
|
||||
useDHCP = true;
|
||||
};
|
||||
enp2s0 = {
|
||||
name = "eth1";
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "10.64.50.1";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
};
|
||||
enp3s0 = {
|
||||
name = "eth2";
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "10.239.19.1";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
};
|
||||
enp4s0 = { name = "eth3"; };
|
||||
enp5s0 = { name = "eth4"; };
|
||||
enp6s0 = { name = "eth5"; };
|
||||
};
|
||||
|
||||
nftables = {
|
||||
enable = true;
|
||||
ruleset = ''
|
||||
table inet filter {
|
||||
chain output {
|
||||
type filter hook output priority 100; policy accept;
|
||||
}
|
||||
|
||||
chain input {
|
||||
type filter hook input priority filter; policy drop;
|
||||
|
||||
# Allow trusted networks to access the router
|
||||
iifname {
|
||||
"eth1",
|
||||
"eth2",
|
||||
"tailscale0",
|
||||
} counter accept
|
||||
|
||||
ip protocol icmp counter accept comment "accept all ICMP types"
|
||||
|
||||
iifname "eth0" ct state { established, related } counter accept
|
||||
iifname "eth0" drop
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
|
||||
iifname {
|
||||
"eth1",
|
||||
"eth2",
|
||||
} oifname {
|
||||
"eth0",
|
||||
} counter accept comment "Allow trusted LAN to WAN"
|
||||
|
||||
iifname {
|
||||
"eth0",
|
||||
} oifname {
|
||||
"eth1",
|
||||
"eth2",
|
||||
} ct state established,related counter accept comment "Allow established back to LANs"
|
||||
}
|
||||
}
|
||||
|
||||
table ip nat {
|
||||
chain prerouting {
|
||||
type nat hook output priority filter; policy accept;
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority filter; policy accept;
|
||||
oifname "eth0" masquerade
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
dhcpd4 = {
|
||||
enable = true;
|
||||
interfaces = [ "eth1" "eth2" ];
|
||||
extraConfig = ''
|
||||
subnet 10.64.50.0 netmask 255.255.255.0 {
|
||||
interface eth1;
|
||||
|
||||
option broadcast-address 10.64.50.255;
|
||||
option routers 10.64.50.1;
|
||||
range 10.64.50.64 10.64.50.254;
|
||||
|
||||
option domain-name-servers 1.1.1.1, 8.8.8.8;
|
||||
}
|
||||
|
||||
subnet 10.239.19.0 netmask 255.255.255.0 {
|
||||
interface eth2;
|
||||
|
||||
option broadcast-address 10.239.19.255;
|
||||
option routers 10.239.19.1;
|
||||
range 10.239.19.64 10.239.19.254;
|
||||
|
||||
option domain-name-servers 1.1.1.1, 8.8.8.8;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age;
|
||||
custom.tailscale = {
|
||||
@ -26,5 +150,8 @@
|
||||
## Enable btrfs compression
|
||||
fileSystems."/data".options = [ "compress=zstd" ];
|
||||
fileSystems."/nix".options = [ "compress=zstd" ];
|
||||
|
||||
## Run a persistent iperf3 server
|
||||
services.iperf3.enable = true;
|
||||
};
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user