From c70fae9bd6c7d80035878cd5aa95d4871fedf594 Mon Sep 17 00:00:00 2001
From: Yuri Tatishchev <itatishch@gmail.com>
Date: Tue, 18 Mar 2025 01:21:38 -0700
Subject: [PATCH] WIP: router: I swear the ipv6 routes work now

---
 hosts/router/firewall.nix | 14 ++++++++++----
 hosts/router/ifconfig.nix | 13 +------------
 2 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/hosts/router/firewall.nix b/hosts/router/firewall.nix
index ffb306e..9dcbf90 100644
--- a/hosts/router/firewall.nix
+++ b/hosts/router/firewall.nix
@@ -20,7 +20,11 @@ in
           ${ifs.lan40.name},
           ${ifs.lan50.name},
       }
-      define OPNSENSE_P6 = ${pdFromWan}d::/64
+      define OPNSENSE_NET6 = ${pdFromWan}d::/64
+      define ZONE_LAN_EXTRA_NET6 = {
+          ${ifs.lan20.net6},  # needed since packets can come in from wan on these addrs
+          $OPNSENSE_NET6,
+      }
       define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 }
 
       define ALLOWED_TCP_PORTS = { ssh, https }
@@ -46,7 +50,9 @@ in
           # Drop router adverts from self
           # peculiarity due to wan and lan20 being bridged
           # TODO: figure out a less jank way to do this
-          iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} icmpv6 type nd-router-advert log prefix "self icmpv6: " drop
+          iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} icmpv6 type nd-router-advert log prefix "self radvt: " drop
+          # iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} ip6 nexthdr icmpv6 log prefix "self icmpv6: " drop
+          # iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} log prefix "self llv6: " drop
           # iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} log drop
           # iifname $ZONE_LAN_IFS ip6 saddr ${links.wanLL} log drop
 
@@ -74,7 +80,7 @@ in
           # LAN zone input rules
           iifname $ZONE_LAN_IFS accept
           iifname $ZONE_LAN_IFS jump zone_lan_input
-          ip6 saddr $OPNSENSE_P6 jump zone_lan_input
+          ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input
 
           # log
       }
@@ -89,7 +95,7 @@ in
           iifname $ZONE_WAN_IFS jump zone_wan_forward
           # LAN zone forward rules
           iifname $ZONE_LAN_IFS jump zone_lan_forward
-          ip6 saddr $OPNSENSE_P6 jump zone_lan_forward
+          ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_forward
       }
 
       chain zone_wan_input {
diff --git a/hosts/router/ifconfig.nix b/hosts/router/ifconfig.nix
index d9752c5..132b47e 100644
--- a/hosts/router/ifconfig.nix
+++ b/hosts/router/ifconfig.nix
@@ -59,13 +59,6 @@ in
 
     interface ${ifs.wan.name}
       ipv6only
-      # IPv4 (Static)
-      # nodhcp
-      # noipv4ll
-      # static ip_address=${ifs.wan.addr4Sized}
-      # static routers=${ifs.wan.gw4}
-
-      # IPv6
       duid
       ipv6rs
       dhcp6
@@ -128,11 +121,6 @@ in
     networks = {
       "10-wan" = {
         matchConfig.Name = ifs.wan.name;
-
-#        linkConfig = {
-#          Unmanaged = true;
-#          RequiredForOnline = "routable";
-#        };
         # make routing on this interface a dependency for network-online.target
         linkConfig.RequiredForOnline = "routable";
         networkConfig = {
@@ -142,6 +130,7 @@ in
           # let dhcpcd handle this
           Address = [ ifs.wan.addr4Sized ];
           IPv6AcceptRA = false;
+          KeepConfiguration = true;
         };
         routes = [
           { Gateway = ifs.wan.gw4; }