|
87 | 87 | # Allow forward |
88 | 88 | boot.kernel.sysctl."net.ipv4.ip_forward" = 1; |
89 | 89 |
|
90 | | - # virtualisation.vswitch = { |
91 | | - # enable = true; |
92 | | - # # don't reset the Open vSwitch database on reboot |
93 | | - # resetOnStart = false; |
94 | | - # }; |
95 | | - |
96 | | - networking = { |
97 | | - hostName = "hype16"; |
98 | | - |
99 | | - # Disable some features |
100 | | - wireless.enable = false; |
101 | | - enableIPv6 = false; |
102 | | - nat.enable = false; |
103 | | - useDHCP = false; |
104 | | - |
105 | | - # See ../../nix/nixos/features/commons/networking.nix |
| 90 | + virtualisation.vswitch = { |
| 91 | + enable = true; |
| 92 | + # don't reset the Open vSwitch database on reboot |
| 93 | + resetOnStart = false; |
| 94 | + }; |
106 | 95 |
|
107 | | - # Define VLANs |
108 | | - vlans = { |
109 | | - vlan-dmz = { |
110 | | - id = 32; |
111 | | - interface = "enp1s0"; # tagged |
112 | | - }; |
113 | | - vlan-adm = { |
114 | | - id = 240; |
115 | | - interface = "enp1s0"; # tagged |
| 96 | + networking = |
| 97 | + let |
| 98 | + netlan = "254"; |
| 99 | + netadm = "240"; |
| 100 | + netdmz = "32"; |
| 101 | + in |
| 102 | + { |
| 103 | + hostName = "hype16"; |
| 104 | + |
| 105 | + # Disable some features |
| 106 | + wireless.enable = false; |
| 107 | + enableIPv6 = false; |
| 108 | + nat.enable = false; |
| 109 | + useDHCP = false; |
| 110 | + |
| 111 | + # See ../../nix/nixos/features/commons/networking.nix |
| 112 | + |
| 113 | + # Define VLANs |
| 114 | + vlans = { |
| 115 | + vlan-dmz = { |
| 116 | + id = 32; |
| 117 | + interface = "enp1s0"; # tagged |
| 118 | + }; |
| 119 | + vlan-adm = { |
| 120 | + id = 240; |
| 121 | + interface = "enp1s0"; # tagged |
| 122 | + }; |
116 | 123 | }; |
117 | | - }; |
118 | | - |
119 | | - # vswitches = { |
120 | | - # br-lan = { interfaces = { enp1s0 = { }; }; }; |
121 | | - # br-adm = { interfaces = { vlan-adm = { vlan = 240; }; }; }; |
122 | | - # br-dmz = { interfaces = { vlan-dmz = { vlan = 32; }; }; }; |
123 | | - # }; |
124 | | - |
125 | | - bridges = { |
126 | | - br-lan = { interfaces = [ "enp1s0" ]; }; |
127 | | - br-adm = { interfaces = [ "vlan-adm" ]; }; |
128 | | - br-dmz = { interfaces = [ "vlan-dmz" ]; }; |
129 | | - }; |
130 | | - |
131 | | - # Create interfaces |
132 | | - interfaces = { |
133 | | - br-lan = { |
134 | | - ipv4 = { |
135 | | - addresses = [{ |
136 | | - address = "192.168.254.16"; |
137 | | - prefixLength = 24; |
138 | | - }]; |
139 | | - routes = [{ |
140 | | - address = "0.0.0.0"; |
141 | | - prefixLength = 0; |
142 | | - via = "192.168.254.254"; |
143 | | - }]; |
144 | 124 |
|
| 125 | + vswitches = { |
| 126 | + br-lan = { interfaces = { enp1s0 = { }; }; }; |
| 127 | + br-adm = { |
| 128 | + interfaces = { |
| 129 | + vlan-adm = { }; |
| 130 | + vb-adguard = { }; |
| 131 | + }; |
145 | 132 | }; |
| 133 | + br-dmz = { interfaces = { vlan-dmz = { }; }; }; |
146 | 134 | }; |
147 | 135 |
|
148 | | - br-adm = { |
149 | | - ipv4 = { |
150 | | - addresses = [{ |
151 | | - address = "192.168.240.16"; |
152 | | - prefixLength = 24; |
153 | | - }]; |
154 | | - routes = [{ |
155 | | - address = "0.0.0.0"; |
156 | | - prefixLength = 0; |
157 | | - via = "192.168.240.254"; |
158 | | - }]; |
| 136 | + # bridges = { |
| 137 | + # br-lan = { interfaces = [ "enp1s0" ]; }; |
| 138 | + # br-adm = { interfaces = [ "vlan-adm" ]; }; |
| 139 | + # br-dmz = { interfaces = [ "vlan-dmz" ]; }; |
| 140 | + # }; |
| 141 | + |
| 142 | + # Create interfaces |
| 143 | + interfaces = { |
| 144 | + br-lan = { |
| 145 | + ipv4 = { |
| 146 | + addresses = [{ |
| 147 | + address = "192.168.${netlan}.16"; |
| 148 | + prefixLength = 24; |
| 149 | + }]; |
| 150 | + routes = [{ |
| 151 | + address = "0.0.0.0"; |
| 152 | + prefixLength = 0; |
| 153 | + via = "192.168.${netlan}.254"; |
| 154 | + }]; |
| 155 | + |
| 156 | + }; |
159 | 157 | }; |
160 | | - }; |
161 | 158 |
|
162 | | - br-dmz = { |
163 | | - ipv4 = { |
164 | | - addresses = [{ |
165 | | - address = "192.168.32.16"; |
166 | | - prefixLength = 24; |
167 | | - }]; |
168 | | - routes = [{ |
169 | | - address = "0.0.0.0"; |
170 | | - prefixLength = 0; |
171 | | - via = "192.168.32.254"; |
172 | | - }]; |
| 159 | + br-adm = { |
| 160 | + ipv4 = { |
| 161 | + addresses = [{ |
| 162 | + address = "192.168.${netadm}.16"; |
| 163 | + prefixLength = 24; |
| 164 | + }]; |
| 165 | + routes = [{ |
| 166 | + address = "0.0.0.0"; |
| 167 | + prefixLength = 0; |
| 168 | + via = "192.168.${netadm}.254"; |
| 169 | + }]; |
| 170 | + }; |
173 | 171 | }; |
174 | | - }; |
175 | | - }; |
176 | 172 |
|
177 | | - # Define default gateway and nameservers |
178 | | - # defaultGateway = "192.168.254.254"; |
179 | | - nameservers = [ "89.2.0.1" "89.2.0.2" ]; |
180 | | - |
181 | | - # Firewall |
182 | | - firewall = { |
183 | | - # Allow configure firewall with allowedTCPPorts & allowedUDPPorts values |
184 | | - enable = true; |
185 | | - # checkReversePath = "loose"; |
186 | | - checkReversePath = false; |
187 | | - |
188 | | - # Logs |
189 | | - logReversePathDrops = true; |
190 | | - logRefusedPackets = true; |
191 | | - logRefusedConnections = true; |
192 | | - logRefusedUnicastsOnly = true; |
193 | | - }; |
| 173 | + br-dmz = { |
| 174 | + ipv4 = { |
| 175 | + addresses = [{ |
| 176 | + address = "192.168.${netdmz}.16"; |
| 177 | + prefixLength = 24; |
| 178 | + }]; |
| 179 | + routes = [{ |
| 180 | + address = "0.0.0.0"; |
| 181 | + prefixLength = 0; |
| 182 | + via = "192.168.${netdmz}.254"; |
| 183 | + }]; |
| 184 | + }; |
| 185 | + }; |
| 186 | + }; |
194 | 187 |
|
195 | | - nftables = { |
196 | | - enable = true; |
197 | | - ruleset = '' |
198 | | - table inet filter { |
199 | | - chain input { |
200 | | - type filter hook input priority 0; policy drop; |
| 188 | + # Define default gateway and nameservers |
| 189 | + # defaultGateway = "192.168.254.254"; |
| 190 | + nameservers = [ "89.2.0.1" "89.2.0.2" ]; |
201 | 191 |
|
202 | | - ct state { established, related } accept comment "Allow established traffic" |
| 192 | + # Firewall |
| 193 | + firewall = { |
| 194 | + # Allow configure firewall with allowedTCPPorts & allowedUDPPorts values |
| 195 | + enable = true; |
| 196 | + checkReversePath = "loose"; |
203 | 197 |
|
204 | | - iifname { "br-lan" } accept comment "Allow lan network to access the router" |
205 | | - #iifname { "br-adm" } accept comment "Allow adm network to access the router" |
206 | | - iifname "lo" accept comment "Accept everything from loopback interface" |
| 198 | + # Logs |
| 199 | + logReversePathDrops = true; |
| 200 | + logRefusedPackets = true; |
| 201 | + logRefusedConnections = true; |
| 202 | + logRefusedUnicastsOnly = true; |
| 203 | + }; |
207 | 204 |
|
| 205 | + nftables = { |
| 206 | + enable = true; |
| 207 | + ruleset = '' |
| 208 | + table inet filter { |
| 209 | + chain input { |
| 210 | + type filter hook input priority 0; policy drop; |
| 211 | +
|
| 212 | + #ct state { established, related } accept comment "Allow established traffic" |
| 213 | +
|
| 214 | + iifname { "br-lan" } accept comment "Allow lan network to access the router" |
| 215 | + #iifname { "br-adm" } accept comment "Allow adm network to access the router" |
| 216 | + iifname "lo" accept comment "Accept everything from loopback interface" |
| 217 | +
|
| 218 | + } |
| 219 | + chain forward { |
| 220 | + type filter hook forward priority filter; policy drop; |
| 221 | +
|
| 222 | + ct state { established, related } accept comment "Allow established back to LANs" |
| 223 | +
|
| 224 | + # adguard |
| 225 | + # 23:29:47.453176 enp1s0 P IP 192.168.254.114.51756 > 192.168.240.96.3000: Flags [S], seq 3951890633, win 64240, options [mss 1460,sackOK,TS val 273335813 ecr 0,nop,wscale 7], length 0 |
| 226 | + # 23:29:47.453176 vlan-adm P IP 192.168.254.114.51756 > 192.168.240.96.3000: Flags [S], seq 3951890633, win 64240, options [mss 1460,sackOK,TS val 273335813 ecr 0,nop,wscale 7], length 0 |
| 227 | + # 23:29:47.453198 vb-adguard Out IP 192.168.254.114.51756 > 192.168.240.96.3000: Flags [S], seq 3951890633, win 64240, options [mss 1460,sackOK,TS val 273335813 ecr 0,nop,wscale 7], length 0 |
| 228 | + # 23:29:47.453271 vb-adguard P IP 192.168.240.96.3000 > 192.168.254.114.51756: Flags [S.], seq 2593899192, ack 3951890634, win 65160, options [mss 1460,sackOK,TS val 902428753 ecr 273335813,nop,wscale 7], length 0 |
| 229 | + # 23:29:47.453285 br-adm In IP 192.168.240.96.3000 > 192.168.254.114.51756: Flags [S.], seq 2593899192, ack 3951890634, win 65160, options [mss 1460,sackOK,TS val 902428753 ecr 273335813,nop,wscale 7], length 0 |
| 230 | + # 23:29:47.453315 br-lan Out IP 192.168.240.96.3000 > 192.168.254.114.51756: Flags [S.], seq 2593899192, ack 3951890634, win 65160, options [mss 1460,sackOK,TS val 902428753 ecr 273335813,nop,wscale 7], length 0 |
| 231 | + # 23:29:47.453320 enp1s0 Out IP 192.168.240.96.3000 > 192.168.254.114.51756: Flags [S.], seq 2593899192, ack 3951890634, win 65160, options [mss 1460,sackOK,TS val 902428753 ecr 273335813,nop,wscale 7], length 0 |
| 232 | + iifname "br-adm" oifname "br-lan" ip saddr 192.168.${netadm}.96 tcp sport 3000 accept comment "Allow adguard" |
| 233 | +
|
| 234 | + #iifname "br-lan" oifname "br-lan" accept comment "Allow trusted LAN to LAN" |
| 235 | + #iifname "br-lan" oifname "br-adm" accept comment "Allow trusted LAN to ADM" |
| 236 | + #iifname "br-lan" oifname "br-dmz" accept comment "Allow trusted LAN to DMZ" |
| 237 | +
|
| 238 | + log prefix "Blocked Forward: " flags all drop |
| 239 | + } |
208 | 240 | } |
209 | | - chain forward { |
210 | | - type filter hook forward priority filter; policy drop; |
211 | | -
|
212 | | - ct state { established, related } accept comment "Allow established back to LANs" |
213 | | -
|
214 | | - # adguard |
215 | | - # 23:29:47.453176 enp1s0 P IP 192.168.254.114.51756 > 192.168.240.96.3000: Flags [S], seq 3951890633, win 64240, options [mss 1460,sackOK,TS val 273335813 ecr 0,nop,wscale 7], length 0 |
216 | | - # 23:29:47.453176 vlan-adm P IP 192.168.254.114.51756 > 192.168.240.96.3000: Flags [S], seq 3951890633, win 64240, options [mss 1460,sackOK,TS val 273335813 ecr 0,nop,wscale 7], length 0 |
217 | | - # 23:29:47.453198 vb-adguard Out IP 192.168.254.114.51756 > 192.168.240.96.3000: Flags [S], seq 3951890633, win 64240, options [mss 1460,sackOK,TS val 273335813 ecr 0,nop,wscale 7], length 0 |
218 | | - # 23:29:47.453271 vb-adguard P IP 192.168.240.96.3000 > 192.168.254.114.51756: Flags [S.], seq 2593899192, ack 3951890634, win 65160, options [mss 1460,sackOK,TS val 902428753 ecr 273335813,nop,wscale 7], length 0 |
219 | | - # 23:29:47.453285 br-adm In IP 192.168.240.96.3000 > 192.168.254.114.51756: Flags [S.], seq 2593899192, ack 3951890634, win 65160, options [mss 1460,sackOK,TS val 902428753 ecr 273335813,nop,wscale 7], length 0 |
220 | | - # 23:29:47.453315 br-lan Out IP 192.168.240.96.3000 > 192.168.254.114.51756: Flags [S.], seq 2593899192, ack 3951890634, win 65160, options [mss 1460,sackOK,TS val 902428753 ecr 273335813,nop,wscale 7], length 0 |
221 | | - # 23:29:47.453320 enp1s0 Out IP 192.168.240.96.3000 > 192.168.254.114.51756: Flags [S.], seq 2593899192, ack 3951890634, win 65160, options [mss 1460,sackOK,TS val 902428753 ecr 273335813,nop,wscale 7], length 0 |
222 | | - iifname "br-adm" oifname "br-lan" ip saddr 192.168.240.96 tcp sport 3000 accept comment "Allow adguard" |
223 | | -
|
224 | | - #iifname "br-lan" oifname "br-lan" accept comment "Allow trusted LAN to LAN" |
225 | | - #iifname "br-lan" oifname "br-adm" accept comment "Allow trusted LAN to ADM" |
226 | | - #iifname "br-lan" oifname "br-dmz" accept comment "Allow trusted LAN to DMZ" |
227 | | -
|
228 | | - log prefix "Blocked Forward: " flags all drop |
229 | | - } |
230 | | - } |
231 | | - ''; |
| 241 | + ''; |
| 242 | + }; |
232 | 243 | }; |
233 | | - }; |
234 | 244 |
|
235 | 245 | # systemd.network = let |
236 | 246 | # netlan = "254"; |
|
0 commit comments