wip(router0-dmz0): attempt IPv6 SLAAC, RA, and DHCP setup
This commit is contained in:
parent
ce458b02ba
commit
062abf22c0
2 changed files with 110 additions and 56 deletions
|
|
@ -188,8 +188,8 @@ in {
|
|||
# TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority)
|
||||
nftables = {
|
||||
enable = true;
|
||||
stopRuleset = "";
|
||||
|
||||
stopRuleset = "";
|
||||
chains = {
|
||||
prerouting = {
|
||||
"exposeHost" = {
|
||||
|
|
@ -206,6 +206,9 @@ in {
|
|||
|
||||
firewall = {
|
||||
enable = true;
|
||||
snippets.nnf-common.enable = true;
|
||||
# included in the above
|
||||
# snippets.nnf-conntrack.enable = true;
|
||||
zones =
|
||||
{
|
||||
lan.interfaces = [(mkInterfaceName {vlanid = 0;})];
|
||||
|
|
@ -559,7 +562,49 @@ in {
|
|||
vlanRange
|
||||
)
|
||||
);
|
||||
networks =
|
||||
networks = let
|
||||
commonWanOptions = {
|
||||
networkConfig = {
|
||||
# start a DHCP Client for IPv4/6 Addressing/Routing
|
||||
DHCP = true;
|
||||
DNSOverTLS = true;
|
||||
DNSSEC = true;
|
||||
IPForward = true;
|
||||
|
||||
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
|
||||
IPv6AcceptRA = true;
|
||||
IPv6PrivacyExtensions = false;
|
||||
DHCPPrefixDelegation = true;
|
||||
};
|
||||
dhcpV4Config = {
|
||||
UseDNS = false;
|
||||
UseDomains = false;
|
||||
UseHostname = false;
|
||||
};
|
||||
dhcpV6Config = {
|
||||
UseDNS = false;
|
||||
UseDomains = false;
|
||||
UseHostname = false;
|
||||
PrefixDelegationHint = "::/56";
|
||||
UseDelegatedPrefix = true;
|
||||
WithoutRA = "solicit";
|
||||
};
|
||||
ipv6AcceptRAConfig = {
|
||||
UseDNS = false;
|
||||
UseDomains = false;
|
||||
};
|
||||
|
||||
# TODO: enable these somehow
|
||||
# extraConfig = ''
|
||||
# [IPv6AcceptRA]
|
||||
# # FIXME: supported in nixos-24.11
|
||||
# DHCPv6Client=solicit
|
||||
|
||||
# # FIXME: not supported at all yet
|
||||
# UsePREF64=true
|
||||
# '';
|
||||
};
|
||||
in
|
||||
{
|
||||
# places options here that should always exist
|
||||
"lo" = {
|
||||
|
|
@ -619,20 +664,16 @@ in {
|
|||
];
|
||||
};
|
||||
# use lan0 as secondary WAN interface
|
||||
"10-lan0-wan" = {
|
||||
"10-lan0-wan" = lib.attrsets.recursiveUpdate commonWanOptions {
|
||||
matchConfig.Name = "lan0";
|
||||
networkConfig = {
|
||||
# start a DHCP Client for IPv4/6 Addressing/Routing
|
||||
DHCP = true;
|
||||
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
|
||||
IPv6AcceptRA = true;
|
||||
DNSOverTLS = true;
|
||||
DNSSEC = true;
|
||||
IPv6PrivacyExtensions = false;
|
||||
IPForward = true;
|
||||
};
|
||||
# make routing on this interface a dependency for network-online.target
|
||||
# linkConfig.RequiredForOnline = "routable";
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
|
||||
dhcpV4Config = {
|
||||
RouteMetric = 2000;
|
||||
};
|
||||
|
||||
# similar to
|
||||
# ip route add default via 172.16.0.1 table 101
|
||||
routes = [
|
||||
|
|
@ -644,22 +685,16 @@ in {
|
|||
}
|
||||
];
|
||||
};
|
||||
"10-wan" = {
|
||||
"10-wan" = lib.attrsets.recursiveUpdate commonWanOptions {
|
||||
matchConfig.Name = "wan";
|
||||
networkConfig = {
|
||||
# start a DHCP Client for IPv4/6 Addressing/Routing
|
||||
DHCP = true;
|
||||
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
|
||||
IPv6AcceptRA = true;
|
||||
DNSOverTLS = true;
|
||||
DNSSEC = true;
|
||||
IPv6PrivacyExtensions = false;
|
||||
IPForward = true;
|
||||
};
|
||||
# make routing on this interface a dependency for network-online.target
|
||||
# linkConfig.RequiredForOnline = "routable";
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
|
||||
dhcpV4Config = {
|
||||
RouteMetric = 1000;
|
||||
};
|
||||
|
||||
# similar to
|
||||
# ip route add default via 192.168.0.1 table 100
|
||||
routes = [
|
||||
|
|
@ -835,6 +870,19 @@ in {
|
|||
];
|
||||
networkConfig = {
|
||||
ConfigureWithoutCarrier = true;
|
||||
|
||||
# the client shouldn't be allowed to send us RAs, that would be weird.
|
||||
IPv6AcceptRA = false;
|
||||
|
||||
DHCPPrefixDelegation = true;
|
||||
IPv6SendRA = true;
|
||||
};
|
||||
|
||||
dhcpPrefixDelegationConfig = {
|
||||
UplinkInterface = "wan";
|
||||
Assign = true;
|
||||
SubnetId = vlanid;
|
||||
Announce = true;
|
||||
};
|
||||
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
|
|
@ -873,19 +921,19 @@ in {
|
|||
];
|
||||
};
|
||||
|
||||
"50-${mkInterfaceName {inherit vlanid;}}" = {
|
||||
matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}";
|
||||
address = [
|
||||
(mkVlanIpv4HostAddr {
|
||||
inherit vlanid;
|
||||
host = 1;
|
||||
})
|
||||
];
|
||||
networkConfig = {
|
||||
ConfigureWithoutCarrier = true;
|
||||
};
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
};
|
||||
# "50-${mkInterfaceName {inherit vlanid;}}" = {
|
||||
# matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}";
|
||||
# address = [
|
||||
# (mkVlanIpv4HostAddr {
|
||||
# inherit vlanid;
|
||||
# host = 1;
|
||||
# })
|
||||
# ];
|
||||
# networkConfig = {
|
||||
# ConfigureWithoutCarrier = true;
|
||||
# };
|
||||
# linkConfig.RequiredForOnline = "no";
|
||||
# };
|
||||
})
|
||||
(
|
||||
builtins.map
|
||||
|
|
@ -1099,6 +1147,9 @@ in {
|
|||
local-ttl = 0;
|
||||
dhcp-ttl = 0;
|
||||
|
||||
# v6 config
|
||||
enable-ra = true;
|
||||
|
||||
dhcp-range = let
|
||||
mkDhcpRange = {
|
||||
tag,
|
||||
|
|
@ -1117,6 +1168,9 @@ in {
|
|||
cidr = false;
|
||||
})
|
||||
"12h"
|
||||
# "slaac"
|
||||
# "ra-stateless"
|
||||
# "ra-names"
|
||||
];
|
||||
in
|
||||
builtins.map
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue