WIP: router: add remaining VLANs, temporary network configs
Retiring OPNsense will take a while, in the meantime it should work together
This commit is contained in:
parent
17e6b33bde
commit
d5d34f48b4
GPG Key ID:
E0EBF441EA424369
@ -31,7 +31,7 @@ let
|
|||||||
ulaAddrSized = "${ulaAddr}/${toString ulaSize}";
|
ulaAddrSized = "${ulaAddr}/${toString ulaSize}";
|
||||||
};
|
};
|
||||||
|
|
||||||
p4 = "10.19"; # .0.0/16
|
p4 = "10.17"; # .0.0/16
|
||||||
pdFromWan = ""; # ::/60
|
pdFromWan = ""; # ::/60
|
||||||
ulaPrefix = "fdab:07d3:581d"; # ::/48
|
ulaPrefix = "fdab:07d3:581d"; # ::/48
|
||||||
ifs = rec {
|
ifs = rec {
|
||||||
@ -62,10 +62,24 @@ let
|
|||||||
p6_ = "${pdFromWan}2"; # ::/64
|
p6_ = "${pdFromWan}2"; # ::/64
|
||||||
ulaPrefix_ = "${ulaPrefix}:0020"; # ::/64
|
ulaPrefix_ = "${ulaPrefix}:0020"; # ::/64
|
||||||
};
|
};
|
||||||
|
lan30 = mkIfConfig {
|
||||||
|
name_ = "${lan.name}.30";
|
||||||
|
domain_ = "iot.${ldomain}";
|
||||||
|
p4_ = "${p4}.30"; # .0/24
|
||||||
|
p6_ = "${pdFromWan}3"; # ::/64
|
||||||
|
ulaPrefix_ = "${ulaPrefix}:0030"; # ::/64
|
||||||
|
};
|
||||||
|
lan40 = mkIfConfig {
|
||||||
|
name_ = "${lan.name}.40";
|
||||||
|
domain_ = "kube.${ldomain}";
|
||||||
|
p4_ = "${p4}.40"; # .0/24
|
||||||
|
p6_ = "${pdFromWan}4"; # ::/64
|
||||||
|
ulaPrefix_ = "${ulaPrefix}:0040"; # ::/64
|
||||||
|
};
|
||||||
lan50 = mkIfConfig {
|
lan50 = mkIfConfig {
|
||||||
name_ = "${lan.name}.50";
|
name_ = "${lan.name}.50";
|
||||||
domain_ = "prox.${ldomain}";
|
domain_ = "prox.${ldomain}";
|
||||||
p4_ = "10.17.50"; # .0/24 TODO: change to p4 later
|
p4_ = "${p4}.50"; # .0/24
|
||||||
p6_ = "${pdFromWan}a"; # ::/64
|
p6_ = "${pdFromWan}a"; # ::/64
|
||||||
ulaPrefix_ = "${ulaPrefix}:0050"; # ::/64
|
ulaPrefix_ = "${ulaPrefix}:0050"; # ::/64
|
||||||
};
|
};
|
||||||
@ -107,6 +121,16 @@ let
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
mkTempLanConfig = ifObj: {
|
||||||
|
matchConfig.Name = ifObj.name;
|
||||||
|
networkConfig = {
|
||||||
|
IPv4Forwarding = true;
|
||||||
|
# IPv6SendRA = true;
|
||||||
|
Address = [ "${ifObj.p4}.249/24" ];
|
||||||
|
# IPv6AcceptRA = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
mkDhcp4Subnet = id: ifObj: {
|
mkDhcp4Subnet = id: ifObj: {
|
||||||
id = id;
|
id = id;
|
||||||
subnet = ifObj.net4;
|
subnet = ifObj.net4;
|
||||||
@ -211,8 +235,10 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
netdevs = {
|
netdevs = {
|
||||||
# "10-vlan10" = mkVlanDev { id = 10; name = ifs.lan10.name; };
|
"10-vlan10" = mkVlanDev { id = 10; name = ifs.lan10.name; };
|
||||||
# "10-vlan20" = mkVlanDev { id = 20; name = ifs.lan20.name; };
|
"10-vlan20" = mkVlanDev { id = 20; name = ifs.lan20.name; };
|
||||||
|
"10-vlan30" = mkVlanDev { id = 30; name = ifs.lan30.name; };
|
||||||
|
"10-vlan40" = mkVlanDev { id = 40; name = ifs.lan40.name; };
|
||||||
"10-vlan50" = mkVlanDev { id = 50; name = ifs.lan50.name; };
|
"10-vlan50" = mkVlanDev { id = 50; name = ifs.lan50.name; };
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -237,11 +263,15 @@ in
|
|||||||
vlan = [
|
vlan = [
|
||||||
ifs.lan10.name
|
ifs.lan10.name
|
||||||
ifs.lan20.name
|
ifs.lan20.name
|
||||||
|
ifs.lan30.name
|
||||||
|
ifs.lan40.name
|
||||||
ifs.lan50.name
|
ifs.lan50.name
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"30-vlan10" = mkLanConfig ifs.lan10;
|
"30-vlan10" = mkTempLanConfig ifs.lan10;
|
||||||
"30-vlan20" = mkLanConfig ifs.lan20;
|
"30-vlan20" = mkTempLanConfig ifs.lan20;
|
||||||
|
"30-vlan30" = mkTempLanConfig ifs.lan30;
|
||||||
|
"30-vlan40" = mkTempLanConfig ifs.lan40;
|
||||||
"30-vlan50" = mkLanConfig ifs.lan50;
|
"30-vlan50" = mkLanConfig ifs.lan50;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -254,7 +284,14 @@ in
|
|||||||
define LAN_IPV4_HOST = ${ifs.lan.p4}.100
|
define LAN_IPV4_HOST = ${ifs.lan.p4}.100
|
||||||
define LAN_IPV6_HOST = ${ifs.lan.p6}::1:1000
|
define LAN_IPV6_HOST = ${ifs.lan.p6}::1:1000
|
||||||
define ZONE_WAN_IFS = { ${ifs.wan.name} }
|
define ZONE_WAN_IFS = { ${ifs.wan.name} }
|
||||||
define ZONE_LAN_IFS = { ${ifs.lan.name}, ${ifs.lan10.name}, ${ifs.lan20.name}, ${ifs.lan50.name} }
|
define ZONE_LAN_IFS = {
|
||||||
|
${ifs.lan.name},
|
||||||
|
${ifs.lan10.name},
|
||||||
|
${ifs.lan20.name},
|
||||||
|
${ifs.lan30.name},
|
||||||
|
${ifs.lan40.name},
|
||||||
|
${ifs.lan50.name},
|
||||||
|
}
|
||||||
define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 }
|
define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 }
|
||||||
|
|
||||||
define ALLOWED_TCP_PORTS = { ssh, https }
|
define ALLOWED_TCP_PORTS = { ssh, https }
|
||||||
@ -263,7 +300,7 @@ in
|
|||||||
map port_forward_v4 {
|
map port_forward_v4 {
|
||||||
type inet_proto . inet_service : ipv4_addr . inet_service
|
type inet_proto . inet_service : ipv4_addr . inet_service
|
||||||
elements = {
|
elements = {
|
||||||
tcp . 8006 : 10.17.50.10 . 8006
|
tcp . 8006 : ${ifs.lan50.p4}.10 . 8006
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
set port_forward_v6 {
|
set port_forward_v6 {
|
||||||
@ -336,8 +373,8 @@ in
|
|||||||
# ct status dnat accept
|
# ct status dnat accept
|
||||||
|
|
||||||
# Allow all traffic from LAN to WAN, except ULAs
|
# Allow all traffic from LAN to WAN, except ULAs
|
||||||
oifname ${ifs.wan.name} ip6 saddr fd00::/8 drop
|
oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 drop
|
||||||
oifname ${ifs.wan.name} accept;
|
oifname $ZONE_WAN_IFS accept;
|
||||||
|
|
||||||
# Allow traffic between LANs
|
# Allow traffic between LANs
|
||||||
oifname $ZONE_LAN_IFS accept
|
oifname $ZONE_LAN_IFS accept
|
||||||
@ -355,7 +392,7 @@ in
|
|||||||
type nat hook prerouting priority dstnat; policy accept;
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
|
|
||||||
# Port forwarding
|
# Port forwarding
|
||||||
# iifname ${ifs.wan.name} tcp dport https dnat ip to $LAN_IPV4_HOST
|
# iifname $ZONE_WAN_IFS tcp dport https dnat ip to $LAN_IPV4_HOST
|
||||||
# tcp dport $PROX_PORT fib daddr type local dnat ip to $PROX_HOST
|
# tcp dport $PROX_PORT fib daddr type local dnat ip to $PROX_HOST
|
||||||
fib daddr type local dnat ip to meta l4proto . th dport map @port_forward_v4
|
fib daddr type local dnat ip to meta l4proto . th dport map @port_forward_v4
|
||||||
}
|
}
|
||||||
@ -365,10 +402,10 @@ in
|
|||||||
type nat hook postrouting priority srcnat; policy accept;
|
type nat hook postrouting priority srcnat; policy accept;
|
||||||
|
|
||||||
# Masquerade LAN addrs
|
# Masquerade LAN addrs
|
||||||
oifname ${ifs.wan.name} ip saddr $RFC1918 masquerade
|
oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
|
||||||
|
|
||||||
# Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
|
# Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
|
||||||
# oifname ${ifs.wan.name} ip6 saddr fd00::/8 masquerade
|
# oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
@ -552,7 +589,8 @@ in
|
|||||||
|
|
||||||
# Enable the KDE Plasma Desktop Environment.
|
# Enable the KDE Plasma Desktop Environment.
|
||||||
# Useful for debugging with wireshark.
|
# Useful for debugging with wireshark.
|
||||||
services.displayManager.sddm.enable = false;
|
# services.displayManager.sddm.enable = true;
|
||||||
|
hardware.graphics.enable = true;
|
||||||
services.displayManager.sddm.wayland.enable = true;
|
services.displayManager.sddm.wayland.enable = true;
|
||||||
services.desktopManager.plasma6.enable = true;
|
services.desktopManager.plasma6.enable = true;
|
||||||
# No need for audio in VM
|
# No need for audio in VM
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user