steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

wip(router0-dmz0): attempt IPv6 SLAAC, RA, and DHCP setup

Browse source
This commit is contained in:
steveej 2024-10-13 20:17:35 +02:00
parent ce458b02ba
commit 062abf22c0
2 changed files with 110 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

128
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -188,8 +188,8 @@ in {
# TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority)
nftables = { nftables = {
enable = true; enable = true;
stopRuleset = "";
stopRuleset = "";
chains = { chains = {
prerouting = { prerouting = {
"exposeHost" = { "exposeHost" = {
@ -206,6 +206,9 @@ in {
firewall = { firewall = {
enable = true; enable = true;
snippets.nnf-common.enable = true;
# included in the above
# snippets.nnf-conntrack.enable = true;
zones = zones =
{ {
lan.interfaces = [(mkInterfaceName {vlanid = 0;})]; lan.interfaces = [(mkInterfaceName {vlanid = 0;})];
@ -559,7 +562,49 @@ in {
vlanRange vlanRange
) )
); );
networks = networks = let
commonWanOptions = {
networkConfig = {
# start a DHCP Client for IPv4/6 Addressing/Routing
DHCP = true;
DNSOverTLS = true;
DNSSEC = true;
IPForward = true;
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true;
IPv6PrivacyExtensions = false;
DHCPPrefixDelegation = true;
};
dhcpV4Config = {
UseDNS = false;
UseDomains = false;
UseHostname = false;
};
dhcpV6Config = {
UseDNS = false;
UseDomains = false;
UseHostname = false;
PrefixDelegationHint = "::/56";
UseDelegatedPrefix = true;
WithoutRA = "solicit";
};
ipv6AcceptRAConfig = {
UseDNS = false;
UseDomains = false;
};
# TODO: enable these somehow
# extraConfig = ''
# [IPv6AcceptRA]
# # FIXME: supported in nixos-24.11
# DHCPv6Client=solicit
# # FIXME: not supported at all yet
# UsePREF64=true
# '';
};
in
{ {
# places options here that should always exist # places options here that should always exist
"lo" = { "lo" = {
@ -619,20 +664,16 @@ in {
]; ];
}; };
# use lan0 as secondary WAN interface # use lan0 as secondary WAN interface
"10-lan0-wan" = { "10-lan0-wan" = lib.attrsets.recursiveUpdate commonWanOptions {
matchConfig.Name = "lan0"; matchConfig.Name = "lan0";
networkConfig = { # make routing on this interface a dependency for network-online.target
# start a DHCP Client for IPv4/6 Addressing/Routing # linkConfig.RequiredForOnline = "routable";
DHCP = true;
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true;
DNSOverTLS = true;
DNSSEC = true;
IPv6PrivacyExtensions = false;
IPForward = true;
};
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
dhcpV4Config = {
RouteMetric = 2000;
};
# similar to # similar to
# ip route add default via 172.16.0.1 table 101 # ip route add default via 172.16.0.1 table 101
routes = [ routes = [
@ -644,22 +685,16 @@ in {
} }
]; ];
}; };
"10-wan" = { "10-wan" = lib.attrsets.recursiveUpdate commonWanOptions {
matchConfig.Name = "wan"; matchConfig.Name = "wan";
networkConfig = {
# start a DHCP Client for IPv4/6 Addressing/Routing
DHCP = true;
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true;
DNSOverTLS = true;
DNSSEC = true;
IPv6PrivacyExtensions = false;
IPForward = true;
};
# make routing on this interface a dependency for network-online.target # make routing on this interface a dependency for network-online.target
# linkConfig.RequiredForOnline = "routable"; # linkConfig.RequiredForOnline = "routable";
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
dhcpV4Config = {
RouteMetric = 1000;
};
# similar to # similar to
# ip route add default via 192.168.0.1 table 100 # ip route add default via 192.168.0.1 table 100
routes = [ routes = [
@ -835,6 +870,19 @@ in {
]; ];
networkConfig = { networkConfig = {
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
# the client shouldn't be allowed to send us RAs, that would be weird.
IPv6AcceptRA = false;
DHCPPrefixDelegation = true;
IPv6SendRA = true;
};
dhcpPrefixDelegationConfig = {
UplinkInterface = "wan";
Assign = true;
SubnetId = vlanid;
Announce = true;
}; };
linkConfig.RequiredForOnline = "no"; linkConfig.RequiredForOnline = "no";
@ -873,19 +921,19 @@ in {
]; ];
}; };
"50-${mkInterfaceName {inherit vlanid;}}" = { # "50-${mkInterfaceName {inherit vlanid;}}" = {
matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}";
address = [ # address = [
(mkVlanIpv4HostAddr { # (mkVlanIpv4HostAddr {
inherit vlanid; # inherit vlanid;
host = 1; # host = 1;
}) # })
]; # ];
networkConfig = { # networkConfig = {
ConfigureWithoutCarrier = true; # ConfigureWithoutCarrier = true;
}; # };
linkConfig.RequiredForOnline = "no"; # linkConfig.RequiredForOnline = "no";
}; # };
}) })
( (
builtins.map builtins.map
@ -1099,6 +1147,9 @@ in {
local-ttl = 0; local-ttl = 0;
dhcp-ttl = 0; dhcp-ttl = 0;
# v6 config
enable-ra = true;
dhcp-range = let dhcp-range = let
mkDhcpRange = { mkDhcpRange = {
tag, tag,
@ -1117,6 +1168,9 @@ in {
cidr = false; cidr = false;
}) })
"12h" "12h"
# "slaac"
# "ra-stateless"
# "ra-names"
]; ];
in in
builtins.map builtins.map

38
nix/os/devices/router0-dmz0/flake.lock generated
View file

@ -28,11 +28,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1723080788, "lastModified": 1728109432,
"narHash": "sha256-C5LbM5VMdcolt9zHeLQ0bYMRjUL+N+AL5pK7/tVTdes=", "narHash": "sha256-wmbErh8FG7dRKOtMMpHUqDtFjeqt9Zjx4zssSeTalwU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed", "rev": "48ebb577855fb2398653f033b3b2208a9249203d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -63,11 +63,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720042825, "lastModified": 1726989464,
"narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=", "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073", "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -80,11 +80,11 @@
"hostapd": { "hostapd": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1723046327, "lastModified": 1727905939,
"narHash": "sha256-803SwotTiTX3eXZ70sTi51oGufgDsLDvUPiJrsECXVo=", "narHash": "sha256-LZHwXN8lBcDpKQVB3GcYI0SVzj6WXd2E0GDqhQh503w=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "c6faa8936604a5a24b36600ab893725350d894bd", "rev": "d84323d05ef30cdcf343884ac34420caf72145bd",
"revCount": 19755, "revCount": 19910,
"type": "git", "type": "git",
"url": "git://w1.fi/hostap.git?branch=main" "url": "git://w1.fi/hostap.git?branch=main"
}, },
@ -137,11 +137,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1722869614, "lastModified": 1728067476,
"narHash": "sha256-7ojM1KSk3mzutD7SkrdSflHXEujPvW1u7QuqWoTLXQU=", "narHash": "sha256-/uJcVXuBt+VFCPQIX+4YnYrHaubJSx4HoNsJVNRgANM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "883180e6550c1723395a3a342f830bfc5c371f6b", "rev": "6e6b3dd395c3b1eb9be9f2d096383a8d05add030",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -153,11 +153,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1722813957, "lastModified": 1728018373,
"narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", "narHash": "sha256-NOiTvBbRLIOe5F6RbHaAh6++BNjsb149fGZd1T4+KBg=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", "rev": "bc947f541ae55e999ffdb4013441347d83b00feb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -206,11 +206,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1723077922, "lastModified": 1728127082,
"narHash": "sha256-FY5UMtlBCcbMxk+ykmZzYYtm7l/uUKwiMNYbFgqG5yg=", "narHash": "sha256-MDU/aVPcR5Fk+x1B+SAsyYG47k5cvFvGTrqZIev2Jck=",
"owner": "numtide", "owner": "numtide",
"repo": "srvos", "repo": "srvos",
"rev": "f389064525b8330f20106231762f52854490654e", "rev": "7aaa72eb804248436ea20c084a7891a383e23b02",
"type": "github" "type": "github"
}, },
"original": { "original": {