WIP: set up bpir3

nix/os/devices/router0-dmz0/configuration.nix

@@ -108,7 +108,7 @@ in {
         enable = true;
         zones = {
           lan.interfaces = ["br-lan"];
-          wan.interfaces = ["wan"];
+          wan.interfaces = ["wan" "lan0"];
         };
         rules = {
           lan = {
@@ -130,6 +130,12 @@ in {
           incoming-wan = {
             from = ["wan"];
             to = ["fw"];
+            allowedTCPPortRanges = [
+              {
+                from = 22;
+                to = 22;
+              }
+            ];
             verdict = "drop";
           };
         };
@@ -150,14 +156,6 @@ in {
     };
     networks = {
       # Connect the bridge ports to the bridge
-      "30-lan0" = {
-        matchConfig.Name = "lan0";
-        networkConfig = {
-          Bridge = "br-lan";
-          ConfigureWithoutCarrier = true;
-        };
-        linkConfig.RequiredForOnline = "enslaved";
-      };
       "30-lan1" = {
         matchConfig.Name = "lan1";
         networkConfig = {
@@ -195,6 +193,22 @@ in {
         # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
         linkConfig.RequiredForOnline = "no";
       };
+      # use lan0 as secondary WAN interface
+      "10-lan0-wan" = {
+        matchConfig.Name = "lan0";
+        networkConfig = {
+          # start a DHCP Client for IPv4 Addressing/Routing
+          DHCP = "ipv4";
+          # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+          IPv6AcceptRA = true;
+          DNSOverTLS = true;
+          DNSSEC = true;
+          IPv6PrivacyExtensions = false;
+          IPForward = true;
+        };
+        # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min
+        linkConfig.RequiredForOnline = "no";
+      };
       "10-wan" = {
         matchConfig.Name = "wan";
         networkConfig = {
@@ -216,7 +230,9 @@ in {
   # wireless access point
   services.hostapd = {
     enable = true;
-    radios = {
+    radios = let
+      mkBssid = i: "34:56:ce:0f:ed:4${builtins.toString i}";
+    in {
       wlan0 = {
         band = "2g";
         countryCode = "CH";
@@ -234,12 +250,15 @@ in {
               mode = "wpa3-sae";
               # saePasswordsFile = config.sops.secrets.wifiPassword.path;
               saePasswords = [
-                {password = "justtestingwifi";}
+                {
+                  password = "justtestingwifi";
+                  # vlanid = 100;
+                }
               ];
             };
 
             # generated with https://miniwebtool.com/mac-address-generator/
-            bssid = "34:56:ce:0f:ed:40";
+            bssid = mkBssid 0;
             settings = {
               bridge = "br-lan";
             };
@@ -251,13 +270,19 @@ in {
               mode = "wpa3-sae-transition";
               # saePasswordsFile = config.sops.secrets.wifiPassword.path;
               saePasswords = [
-                {password = "justtestingwifi";}
+                {
+                  password = "justtestingwifi";
+                  # vlanid = 100;
+                }
               ];
-              wpaPassword = "justtestingwifi";
+              wpaPskFile = pkgs.writeText "pskfile" ''
+                00:00:00:00:00:00 justtestingwifi
+                # vlanid=100 00:00:00:00:00:00 justtestingwifi-vlan
+              '';
             };
 
             # generated with https://miniwebtool.com/mac-address-generator/
-            bssid = "34:56:ce:0f:ed:41";
+            bssid = mkBssid 1;
             settings = {
               bridge = "br-lan";
             };
@@ -392,9 +417,9 @@ in {
       domain = "lan";
       expand-hosts = true;
 
-      # don't use /etc/hosts as this would advertise surfer as localhost
+      # don't use /etc/hosts as this would advertise ${nodeName} as localhost
       no-hosts = true;
-      address = "/surfer.lan/192.168.10.1";
+      address = "/${nodeName}.lan/192.168.10.1";
     };
   };