diff --git a/machines/router02/networking.nix b/machines/router02/networking.nix index f7b1d46..4949c1b 100644 --- a/machines/router02/networking.nix +++ b/machines/router02/networking.nix @@ -2,6 +2,7 @@ systemd.network = { config.routeTables = { he = 100; + mwan = 110; }; networks = { "10-ens18" = { @@ -26,8 +27,10 @@ Description = "Lan bridge"; }; vlan = [ - "vlan-nat" - "vlan-he" + "vlan-ens-nat" + "vlan-mwan-nat64" + "vlan-mwan-siit" + "vlan-he-dmz" ]; }; "50-tun-he" = { @@ -60,6 +63,12 @@ Table = "he"; }; } + { + routingPolicyRuleConfig = { + To = "2001:470:1f13:187::/64"; + Table = "he"; + }; + } ]; }; "50-tun-mwan" = { @@ -68,14 +77,70 @@ Description = "Tunnel de livraison GRE IPv4/IPv6 de MilkyWAN"; Address = [ "10.1.1.50/30" + "45.13.104.25/29" "2a0b:cbc0:1::216/126" + "2a0e:e701:1120::1/64" ]; ConfigureWithoutCarrier = true; }; + routes = [ + { + routeConfig = { + Gateway = "2a0b:cbc0:1::215"; + PreferredSource = "2a0e:e701:1120::1"; + }; + } + { + # Local route + routeConfig = { + Table = "mwan"; + Destination = "2a0e:e701:1120::/64"; + }; + } + { + # Default unreachable route for unattributed prefixes of our /48 + routeConfig = { + Table = "mwan"; + Metric = 9999; + Destination = "2a0e:e701:1120::/48"; + Type = "unreachable"; + }; + } + { + routeConfig = { + Table = "mwan"; + Gateway = "2a0b:cbc0:1::215"; + PreferredSource = "2a0e:e701:1120::1"; + }; + } + # IPv4 + { + routeConfig = { + Scope = "global"; + Gateway = "10.1.1.49"; + PreferredSource = "45.13.104.25"; + }; + } + ]; + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + From = "2a0e:e701:1120::/48"; + Table = "mwan"; + }; + } + { + routingPolicyRuleConfig = { + To = "2a0e:e701:1120::/48"; + Table = "mwan"; + }; + } + ]; }; - "60-vlan-nat" = { - name = "vlan-nat"; + "60-vlan-ens-nat" = { + name = "vlan-ens-nat"; networkConfig = { + # TODO NAT64 ENS => need netns Description = "Nat IPv4 vers renater"; Address = [ "10.3.161.1/24" ]; DHCPServer = true; @@ -84,8 +149,60 @@ PoolOffset = 50; }; }; - "60-vlan-he" = { - name = "vlan-he"; + "60-vlan-mwan-siit" = { + name = "vlan-mwan-siit"; + networkConfig = { + Description = "SIIT-DC vers MilkyWAN"; + Address = [ "2a0e:e701:1120:1000::1/64" ]; + IPv6SendRA = "yes"; + }; + ipv6SendRAConfig = { + DNS = [ "2a0e:e701:1120:1000::f:1" ]; + }; + ipv6Prefixes = [ + { + ipv6PrefixConfig = { + Prefix = "2a0e:e701:1120:1000::/64"; + }; + } + ]; + routes = [ + { + routeConfig = { + Table = "mwan"; + Destination = "2a0e:e701:1120:1000::/64"; + }; + } + ]; + }; + "60-vlan-mwan-nat64" = { + name = "vlan-mwan-nat64"; + networkConfig = { + Description = "Nat IPv4 vers MilkyWAN"; + Address = [ "2a0e:e701:1120:64::/64" ]; + IPv6SendRA = "yes"; + }; + ipv6SendRAConfig = { + DNS = [ "2a0e:e701:1120:1000::f:1" ]; + }; + ipv6Prefixes = [ + { + ipv6PrefixConfig = { + Prefix = "2a0e:e701:1120:64::/64"; + }; + } + ]; + routes = [ + { + routeConfig = { + Table = "mwan"; + Destination = "2a0e:e701:1120:64::/64"; + }; + } + ]; + }; + "60-vlan-he-dmz" = { + name = "vlan-he-dmz"; networkConfig = { Description = "HE DMZ VLAN"; Address = [ "2001:470:1f13:187::1/64" ]; @@ -107,17 +224,7 @@ }; } ]; - routingPolicyRules = [ - { - routingPolicyRuleConfig = { - To = "2001:470:1f13:187::/64"; - Table = "he"; - }; - } - ]; - }; - }; netdevs = { "50-tun-he" = { @@ -141,17 +248,31 @@ Remote = "80.67.167.30"; }; }; - "60-vlan-nat" = { + "60-vlan-ens-nat" = { netdevConfig = { Kind = "vlan"; - Name = "vlan-nat"; + Name = "vlan-ens-nat"; }; vlanConfig.Id = 2510; }; - "60-vlan-he" = { + "60-vlan-mwan-nat64" = { netdevConfig = { Kind = "vlan"; - Name = "vlan-he"; + Name = "vlan-mwan-nat64"; + }; + vlanConfig.Id = 2521; + }; + "60-vlan-mwan-siit" = { + netdevConfig = { + Kind = "vlan"; + Name = "vlan-mwan-siit"; + }; + vlanConfig.Id = 2520; + }; + "60-vlan-he-dmz" = { + netdevConfig = { + Kind = "vlan"; + Name = "vlan-he-dmz"; }; vlanConfig.Id = 2530; }; @@ -171,10 +292,53 @@ }; }; firewall = { - allowedUDPPorts = [ 67 ]; + allowedUDPPorts = [ + 67 + 53 + ]; extraInputRules = '' ip protocol gre ip saddr 80.67.167.30 accept; - ''; + ''; + logReversePathDrops = true; + checkReversePath = "loose"; + }; + }; + networking.jool = { + enable = true; + nat64.default = { + global = { + pool6 = "64:ff9b::/96"; + lowest-ipv6-mtu = 1500; + logging-bib = true; + logging-session = true; + }; + pool4 = + builtins.map + (protocol: { + prefix = "45.13.104.25/32"; + inherit protocol; + }) + [ + "TCP" + "UDP" + "ICMP" + ]; + }; + siit.default = { + global = { + pool6 = "2a0b:e701:1120:ffff::/96"; + rfc6791v4-prefix = "45.13.104.25/32"; + lowest-ipv6-mtu = 1500; + }; + eamt = [ + { + "ipv4 prefix" = "45.13.104.24/29"; + "ipv6 prefix" = "2a0b:e701:1120:1000:ffff::45.13.104.24/125"; + } + ]; + denylist4 = [ + "129.199.146.0/24" # ENS + ]; }; }; @@ -182,5 +346,4 @@ "net.ipv4.ip_forward" = true; "net.ipv6.conf.all.forwarding" = true; }; - }