From 062abf22c05b2f99a46a7dade83651ea725f2afb Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 13 Oct 2024 20:17:35 +0200 Subject: [PATCH] wip(router0-dmz0): attempt IPv6 SLAAC, RA, and DHCP setup --- nix/os/devices/router0-dmz0/configuration.nix | 128 +++++++++++++----- nix/os/devices/router0-dmz0/flake.lock | 38 +++--- 2 files changed, 110 insertions(+), 56 deletions(-) diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 33a6ed3..cd7f53b 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -188,8 +188,8 @@ in { # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) nftables = { enable = true; - stopRuleset = ""; + stopRuleset = ""; chains = { prerouting = { "exposeHost" = { @@ -206,6 +206,9 @@ in { firewall = { enable = true; + snippets.nnf-common.enable = true; + # included in the above + # snippets.nnf-conntrack.enable = true; zones = { lan.interfaces = [(mkInterfaceName {vlanid = 0;})]; @@ -559,7 +562,49 @@ in { vlanRange ) ); - networks = + networks = let + commonWanOptions = { + networkConfig = { + # start a DHCP Client for IPv4/6 Addressing/Routing + DHCP = true; + DNSOverTLS = true; + DNSSEC = true; + IPForward = true; + + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + IPv6PrivacyExtensions = false; + DHCPPrefixDelegation = true; + }; + dhcpV4Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + }; + dhcpV6Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + PrefixDelegationHint = "::/56"; + UseDelegatedPrefix = true; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig = { + UseDNS = false; + UseDomains = false; + }; + + # TODO: enable these somehow + # extraConfig = '' + # [IPv6AcceptRA] + # # FIXME: supported in nixos-24.11 + # DHCPv6Client=solicit + + # # FIXME: not supported at all yet + # UsePREF64=true + # ''; + }; + in { # places options here that should always exist "lo" = { @@ -619,20 +664,16 @@ in { ]; }; # use lan0 as secondary WAN interface - "10-lan0-wan" = { + "10-lan0-wan" = lib.attrsets.recursiveUpdate commonWanOptions { matchConfig.Name = "lan0"; - networkConfig = { - # start a DHCP Client for IPv4/6 Addressing/Routing - DHCP = true; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - DNSOverTLS = true; - DNSSEC = true; - IPv6PrivacyExtensions = false; - IPForward = true; - }; + # make routing on this interface a dependency for network-online.target + # linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "no"; + dhcpV4Config = { + RouteMetric = 2000; + }; + # similar to # ip route add default via 172.16.0.1 table 101 routes = [ @@ -644,22 +685,16 @@ in { } ]; }; - "10-wan" = { + "10-wan" = lib.attrsets.recursiveUpdate commonWanOptions { matchConfig.Name = "wan"; - networkConfig = { - # start a DHCP Client for IPv4/6 Addressing/Routing - DHCP = true; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - DNSOverTLS = true; - DNSSEC = true; - IPv6PrivacyExtensions = false; - IPForward = true; - }; # make routing on this interface a dependency for network-online.target # linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "no"; + dhcpV4Config = { + RouteMetric = 1000; + }; + # similar to # ip route add default via 192.168.0.1 table 100 routes = [ @@ -835,6 +870,19 @@ in { ]; networkConfig = { ConfigureWithoutCarrier = true; + + # the client shouldn't be allowed to send us RAs, that would be weird. + IPv6AcceptRA = false; + + DHCPPrefixDelegation = true; + IPv6SendRA = true; + }; + + dhcpPrefixDelegationConfig = { + UplinkInterface = "wan"; + Assign = true; + SubnetId = vlanid; + Announce = true; }; linkConfig.RequiredForOnline = "no"; @@ -873,19 +921,19 @@ in { ]; }; - "50-${mkInterfaceName {inherit vlanid;}}" = { - matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; - address = [ - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "no"; - }; + # "50-${mkInterfaceName {inherit vlanid;}}" = { + # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; + # address = [ + # (mkVlanIpv4HostAddr { + # inherit vlanid; + # host = 1; + # }) + # ]; + # networkConfig = { + # ConfigureWithoutCarrier = true; + # }; + # linkConfig.RequiredForOnline = "no"; + # }; }) ( builtins.map @@ -1099,6 +1147,9 @@ in { local-ttl = 0; dhcp-ttl = 0; + # v6 config + enable-ra = true; + dhcp-range = let mkDhcpRange = { tag, @@ -1117,6 +1168,9 @@ in { cidr = false; }) "12h" + # "slaac" + # "ra-stateless" + # "ra-names" ]; in builtins.map diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock index d155575..33a204d 100644 --- a/nix/os/devices/router0-dmz0/flake.lock +++ b/nix/os/devices/router0-dmz0/flake.lock @@ -28,11 +28,11 @@ ] }, "locked": { - "lastModified": 1723080788, - "narHash": "sha256-C5LbM5VMdcolt9zHeLQ0bYMRjUL+N+AL5pK7/tVTdes=", + "lastModified": 1728109432, + "narHash": "sha256-wmbErh8FG7dRKOtMMpHUqDtFjeqt9Zjx4zssSeTalwU=", "owner": "nix-community", "repo": "disko", - "rev": "ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed", + "rev": "48ebb577855fb2398653f033b3b2208a9249203d", "type": "github" }, "original": { @@ -63,11 +63,11 @@ ] }, "locked": { - "lastModified": 1720042825, - "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=", + "lastModified": 1726989464, + "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=", "owner": "nix-community", "repo": "home-manager", - "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073", + "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176", "type": "github" }, "original": { @@ -80,11 +80,11 @@ "hostapd": { "flake": false, "locked": { - "lastModified": 1723046327, - "narHash": "sha256-803SwotTiTX3eXZ70sTi51oGufgDsLDvUPiJrsECXVo=", + "lastModified": 1727905939, + "narHash": "sha256-LZHwXN8lBcDpKQVB3GcYI0SVzj6WXd2E0GDqhQh503w=", "ref": "refs/heads/main", - "rev": "c6faa8936604a5a24b36600ab893725350d894bd", - "revCount": 19755, + "rev": "d84323d05ef30cdcf343884ac34420caf72145bd", + "revCount": 19910, "type": "git", "url": "git://w1.fi/hostap.git?branch=main" }, @@ -137,11 +137,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722869614, - "narHash": "sha256-7ojM1KSk3mzutD7SkrdSflHXEujPvW1u7QuqWoTLXQU=", + "lastModified": 1728067476, + "narHash": "sha256-/uJcVXuBt+VFCPQIX+4YnYrHaubJSx4HoNsJVNRgANM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "883180e6550c1723395a3a342f830bfc5c371f6b", + "rev": "6e6b3dd395c3b1eb9be9f2d096383a8d05add030", "type": "github" }, "original": { @@ -153,11 +153,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1722813957, - "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", + "lastModified": 1728018373, + "narHash": "sha256-NOiTvBbRLIOe5F6RbHaAh6++BNjsb149fGZd1T4+KBg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", + "rev": "bc947f541ae55e999ffdb4013441347d83b00feb", "type": "github" }, "original": { @@ -206,11 +206,11 @@ ] }, "locked": { - "lastModified": 1723077922, - "narHash": "sha256-FY5UMtlBCcbMxk+ykmZzYYtm7l/uUKwiMNYbFgqG5yg=", + "lastModified": 1728127082, + "narHash": "sha256-MDU/aVPcR5Fk+x1B+SAsyYG47k5cvFvGTrqZIev2Jck=", "owner": "numtide", "repo": "srvos", - "rev": "f389064525b8330f20106231762f52854490654e", + "rev": "7aaa72eb804248436ea20c084a7891a383e23b02", "type": "github" }, "original": {