diff --git a/hosts/router.home.ts.hillion.co.uk/default.nix b/hosts/router.home.ts.hillion.co.uk/default.nix index 20ec45d..dc95fc0 100644 --- a/hosts/router.home.ts.hillion.co.uk/default.nix +++ b/hosts/router.home.ts.hillion.co.uk/default.nix @@ -16,6 +16,130 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + }; + + ## Networking + networking = { + firewall.enable = lib.mkForce false; + nat.enable = lib.mkForce false; + + useDHCP = false; + interfaces = { + enp1s0 = { + name = "eth0"; + macAddress = "b4:fb:e4:b0:90:3c"; + useDHCP = true; + }; + enp2s0 = { + name = "eth1"; + ipv4.addresses = [ + { + address = "10.64.50.1"; + prefixLength = 24; + } + ]; + }; + enp3s0 = { + name = "eth2"; + ipv4.addresses = [ + { + address = "10.239.19.1"; + prefixLength = 24; + } + ]; + }; + enp4s0 = { name = "eth3"; }; + enp5s0 = { name = "eth4"; }; + enp6s0 = { name = "eth5"; }; + }; + + nftables = { + enable = true; + ruleset = '' + table inet filter { + chain output { + type filter hook output priority 100; policy accept; + } + + chain input { + type filter hook input priority filter; policy drop; + + # Allow trusted networks to access the router + iifname { + "eth1", + "eth2", + "tailscale0", + } counter accept + + ip protocol icmp counter accept comment "accept all ICMP types" + + iifname "eth0" ct state { established, related } counter accept + iifname "eth0" drop + } + + chain forward { + type filter hook forward priority filter; policy drop; + + iifname { + "eth1", + "eth2", + } oifname { + "eth0", + } counter accept comment "Allow trusted LAN to WAN" + + iifname { + "eth0", + } oifname { + "eth1", + "eth2", + } ct state established,related counter accept comment "Allow established back to LANs" + } + } + + table ip nat { + chain prerouting { + type nat hook output priority filter; policy accept; + } + + chain postrouting { + type nat hook postrouting priority filter; policy accept; + oifname "eth0" masquerade + } + } + ''; + }; + }; + + services = { + dhcpd4 = { + enable = true; + interfaces = [ "eth1" "eth2" ]; + extraConfig = '' + subnet 10.64.50.0 netmask 255.255.255.0 { + interface eth1; + + option broadcast-address 10.64.50.255; + option routers 10.64.50.1; + range 10.64.50.64 10.64.50.254; + + option domain-name-servers 1.1.1.1, 8.8.8.8; + } + + subnet 10.239.19.0 netmask 255.255.255.0 { + interface eth2; + + option broadcast-address 10.239.19.255; + option routers 10.239.19.1; + range 10.239.19.64 10.239.19.254; + + option domain-name-servers 1.1.1.1, 8.8.8.8; + } + ''; + }; + }; + ## Tailscale age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age; custom.tailscale = { @@ -26,5 +150,8 @@ ## Enable btrfs compression fileSystems."/data".options = [ "compress=zstd" ]; fileSystems."/nix".options = [ "compress=zstd" ]; + + ## Run a persistent iperf3 server + services.iperf3.enable = true; }; }