CaZzzer/nix-conf
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP: router: I swear the ipv6 routes work now

Browse Source
This commit is contained in:
Yuri Tatishchev 2025-03-18 01:21:38 -07:00
parent 51c03e46e5
commit c70fae9bd6
Signed by: CaZzzer
GPG Key ID: E0EBF441EA424369
2 changed files with 11 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
hosts/router/firewall.nix
View File

@ -20,7 +20,11 @@ in
${ifs.lan40.name}, ${ifs.lan40.name},
${ifs.lan50.name}, ${ifs.lan50.name},
} }
define OPNSENSE_P6 = ${pdFromWan}d::/64 define OPNSENSE_NET6 = ${pdFromWan}d::/64
define ZONE_LAN_EXTRA_NET6 = {
${ifs.lan20.net6}, # needed since packets can come in from wan on these addrs
$OPNSENSE_NET6,
}
define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 } define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 }
define ALLOWED_TCP_PORTS = { ssh, https } define ALLOWED_TCP_PORTS = { ssh, https }
@ -46,7 +50,9 @@ in
# Drop router adverts from self # Drop router adverts from self
# peculiarity due to wan and lan20 being bridged # peculiarity due to wan and lan20 being bridged
# TODO: figure out a less jank way to do this # TODO: figure out a less jank way to do this
iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} icmpv6 type nd-router-advert log prefix "self icmpv6: " drop iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} icmpv6 type nd-router-advert log prefix "self radvt: " drop
# iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} ip6 nexthdr icmpv6 log prefix "self icmpv6: " drop
# iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} log prefix "self llv6: " drop
# iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} log drop # iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} log drop
# iifname $ZONE_LAN_IFS ip6 saddr ${links.wanLL} log drop # iifname $ZONE_LAN_IFS ip6 saddr ${links.wanLL} log drop
@ -74,7 +80,7 @@ in
# LAN zone input rules # LAN zone input rules
iifname $ZONE_LAN_IFS accept iifname $ZONE_LAN_IFS accept
iifname $ZONE_LAN_IFS jump zone_lan_input iifname $ZONE_LAN_IFS jump zone_lan_input
ip6 saddr $OPNSENSE_P6 jump zone_lan_input ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input
# log # log
} }
@ -89,7 +95,7 @@ in
iifname $ZONE_WAN_IFS jump zone_wan_forward iifname $ZONE_WAN_IFS jump zone_wan_forward
# LAN zone forward rules # LAN zone forward rules
iifname $ZONE_LAN_IFS jump zone_lan_forward iifname $ZONE_LAN_IFS jump zone_lan_forward
ip6 saddr $OPNSENSE_P6 jump zone_lan_forward ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_forward
} }
chain zone_wan_input { chain zone_wan_input {

13
hosts/router/ifconfig.nix
View File

@ -59,13 +59,6 @@ in
interface ${ifs.wan.name} interface ${ifs.wan.name}
ipv6only ipv6only
# IPv4 (Static)
# nodhcp
# noipv4ll
# static ip_address=${ifs.wan.addr4Sized}
# static routers=${ifs.wan.gw4}
# IPv6
duid duid
ipv6rs ipv6rs
dhcp6 dhcp6
@ -128,11 +121,6 @@ in
networks = { networks = {
"10-wan" = { "10-wan" = {
matchConfig.Name = ifs.wan.name; matchConfig.Name = ifs.wan.name;
# linkConfig = {
# Unmanaged = true;
# RequiredForOnline = "routable";
# };
# make routing on this interface a dependency for network-online.target # make routing on this interface a dependency for network-online.target
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
networkConfig = { networkConfig = {
@ -142,6 +130,7 @@ in
# let dhcpcd handle this # let dhcpcd handle this
Address = [ ifs.wan.addr4Sized ]; Address = [ ifs.wan.addr4Sized ];
IPv6AcceptRA = false; IPv6AcceptRA = false;
KeepConfiguration = true;
}; };
routes = [ routes = [
{ Gateway = ifs.wan.gw4; } { Gateway = ifs.wan.gw4; }