Compare commits
No commits in common. "6b92bacb9b7fbaf475aa135af3145dbd547859d8" and "cdf7aa8b80fb985f07f632874123f27e7f9d36ea" have entirely different histories.
6b92bacb9b
...
cdf7aa8b80
@ -20,11 +20,7 @@ in
|
||||
${ifs.lan40.name},
|
||||
${ifs.lan50.name},
|
||||
}
|
||||
define OPNSENSE_NET6 = ${pdFromWan}d::/64
|
||||
define ZONE_LAN_EXTRA_NET6 = {
|
||||
${ifs.lan20.net6}, # needed since packets can come in from wan on these addrs
|
||||
$OPNSENSE_NET6,
|
||||
}
|
||||
define OPNSENSE_P6 = ${pdFromWan}d::/64
|
||||
define RFC1918 = { 10.0.0.0/8, 172.12.0.0/12, 192.168.0.0/16 }
|
||||
|
||||
define ALLOWED_TCP_PORTS = { ssh, https }
|
||||
@ -50,9 +46,7 @@ in
|
||||
# Drop router adverts from self
|
||||
# peculiarity due to wan and lan20 being bridged
|
||||
# TODO: figure out a less jank way to do this
|
||||
iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} icmpv6 type nd-router-advert log prefix "self radvt: " drop
|
||||
# iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} ip6 nexthdr icmpv6 log prefix "self icmpv6: " drop
|
||||
# iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} log prefix "self llv6: " drop
|
||||
iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} icmpv6 type nd-router-advert log prefix "self icmpv6: " drop
|
||||
# iifname $ZONE_WAN_IFS ip6 saddr ${links.lanLL} log drop
|
||||
# iifname $ZONE_LAN_IFS ip6 saddr ${links.wanLL} log drop
|
||||
|
||||
@ -80,7 +74,7 @@ in
|
||||
# LAN zone input rules
|
||||
iifname $ZONE_LAN_IFS accept
|
||||
iifname $ZONE_LAN_IFS jump zone_lan_input
|
||||
ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input
|
||||
ip6 saddr $OPNSENSE_P6 jump zone_lan_input
|
||||
|
||||
# log
|
||||
}
|
||||
@ -95,7 +89,7 @@ in
|
||||
iifname $ZONE_WAN_IFS jump zone_wan_forward
|
||||
# LAN zone forward rules
|
||||
iifname $ZONE_LAN_IFS jump zone_lan_forward
|
||||
ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_forward
|
||||
ip6 saddr $OPNSENSE_P6 jump zone_lan_forward
|
||||
}
|
||||
|
||||
chain zone_wan_input {
|
||||
|
||||
@ -58,7 +58,13 @@ in
|
||||
nohook resolv.conf, yp, hostname, ntp
|
||||
|
||||
interface ${ifs.wan.name}
|
||||
ipv6only
|
||||
# IPv4 (Static)
|
||||
nodhcp
|
||||
noipv4ll
|
||||
static ip_address=${ifs.wan.addr4Sized}
|
||||
static routers=${ifs.wan.gw4}
|
||||
|
||||
# IPv6
|
||||
duid
|
||||
ipv6rs
|
||||
dhcp6
|
||||
@ -121,20 +127,10 @@ in
|
||||
networks = {
|
||||
"10-wan" = {
|
||||
matchConfig.Name = ifs.wan.name;
|
||||
# make routing on this interface a dependency for network-online.target
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
networkConfig = {
|
||||
# start a DHCP Client for IPv4 Addressing/Routing
|
||||
# DHCP = "ipv4";
|
||||
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
|
||||
# let dhcpcd handle this
|
||||
Address = [ ifs.wan.addr4Sized ];
|
||||
IPv6AcceptRA = false;
|
||||
KeepConfiguration = true;
|
||||
linkConfig = {
|
||||
Unmanaged = true;
|
||||
RequiredForOnline = "routable";
|
||||
};
|
||||
routes = [
|
||||
{ Gateway = ifs.wan.gw4; }
|
||||
];
|
||||
};
|
||||
"20-lan" = (mkLanConfig ifs.lan) // {
|
||||
vlan = [
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user