From c2a3c53cde1d616556ecf978d4d890c76679093e Mon Sep 17 00:00:00 2001
From: sinavir <sinavir@sinavir.fr>
Date: Fri, 18 Oct 2024 13:35:15 +0200
Subject: [PATCH] feat(router02): Add HE tunnel and ipv4 nat

---
 machines/krz01/networking.nix    |  36 ++++++-
 machines/router02/networking.nix | 168 +++++++++++++++++++++++++++++++
 2 files changed, 199 insertions(+), 5 deletions(-)

diff --git a/machines/krz01/networking.nix b/machines/krz01/networking.nix
index f862607..c5dd03b 100644
--- a/machines/krz01/networking.nix
+++ b/machines/krz01/networking.nix
@@ -8,16 +8,42 @@
         };
       };
 
-      "10-vmbr0" = {
+      "50-vmbr0" = {
         matchConfig.Name = "vmbr0";
         linkConfig.RequiredForOnline = "routable";
       };
+
+      "50-vmbr1" = {
+        matchConfig.Name = "vmbr1";
+        linkConfig.RequiredForOnline = "routable";
+        bridgeVLANs = [
+          {
+            VLAN = [
+              "2510" # NAT
+              "2501" # Managment
+              "2520" # MW DMZ
+              "2530" # HE DMZ
+            ];
+          }
+        ];
+      };
     };
 
-    netdevs."vmbr0" = {
-      netdevConfig = {
-        Name = "vmbr0";
-        Kind = "bridge";
+    netdevs = {
+      "50-vmbr0" = {
+        netdevConfig = {
+          Name = "vmbr0";
+          Kind = "bridge";
+        };
+      };
+      "50-vmbr1" = {
+        netdevConfig = {
+          Name = "vmbr1";
+          Kind = "bridge";
+        };
+        bridgeConfig = {
+          VLANFiltering = true;
+        };
       };
     };
   };
diff --git a/machines/router02/networking.nix b/machines/router02/networking.nix
index 6f22833..f7b1d46 100644
--- a/machines/router02/networking.nix
+++ b/machines/router02/networking.nix
@@ -1,5 +1,8 @@
 {
   systemd.network = {
+    config.routeTables = {
+      he = 100;
+    };
     networks = {
       "10-ens18" = {
         name = "ens18";
@@ -11,8 +14,173 @@
           LLDP = true;
           # Only to the switch we are connected to directly, e.g. the hypervisor or the switch.
           EmitLLDP = "nearest-bridge";
+          Tunnel = [
+            "gre-mwan"
+            "sit-he"
+          ];
         };
       };
+      "10-ens19" = {
+        name = "ens19";
+        networkConfig = {
+          Description = "Lan bridge";
+        };
+        vlan = [
+          "vlan-nat"
+          "vlan-he"
+        ];
+      };
+      "50-tun-he" = {
+        name = "sit-he";
+        networkConfig = {
+          Description = "HE.NET IPv6 Tunnel (gdd)";
+          Address = [ "2001:470:1f12:187::2/64" ];
+          ConfigureWithoutCarrier = true;
+        };
+        routes = [
+          {
+            routeConfig = {
+              Destination = "::/0";
+              Table = "he";
+              Scope = "global";
+            };
+          }
+          {
+            # Use HE tunnel for router trafic as well
+            routeConfig = {
+              Destination = "::/0";
+              Scope = "global";
+            };
+          }
+        ];
+        routingPolicyRules = [
+          {
+            routingPolicyRuleConfig = {
+              From = "2001:470:1f13:187::/64";
+              Table = "he";
+            };
+          }
+        ];
+      };
+      "50-tun-mwan" = {
+        name = "gre-mwan";
+        networkConfig = {
+          Description = "Tunnel de livraison GRE IPv4/IPv6 de MilkyWAN";
+          Address = [
+            "10.1.1.50/30"
+            "2a0b:cbc0:1::216/126"
+          ];
+          ConfigureWithoutCarrier = true;
+        };
+      };
+      "60-vlan-nat" = {
+        name = "vlan-nat";
+        networkConfig = {
+          Description = "Nat IPv4 vers renater";
+          Address = [ "10.3.161.1/24" ];
+          DHCPServer = true;
+        };
+        dhcpServerConfig = {
+          PoolOffset = 50;
+        };
+      };
+      "60-vlan-he" = {
+        name = "vlan-he";
+        networkConfig = {
+          Description = "HE DMZ VLAN";
+          Address = [ "2001:470:1f13:187::1/64" ];
+          IPv6SendRA = "yes";
+        };
+        ipv6Prefixes = [
+          {
+            ipv6PrefixConfig = {
+              Prefix = "2001:470:1f13:187::0/64";
+            };
+          }
+        ];
+        routes = [
+          {
+            routeConfig = {
+              Table = "he";
+              Scope = "global";
+              Destination = "2001:470:1f13:187::/64";
+            };
+          }
+        ];
+        routingPolicyRules = [
+          {
+            routingPolicyRuleConfig = {
+              To = "2001:470:1f13:187::/64";
+              Table = "he";
+            };
+          }
+        ];
+
+      };
+
+    };
+    netdevs = {
+      "50-tun-he" = {
+        netdevConfig = {
+          Kind = "sit";
+          Name = "sit-he";
+        };
+        tunnelConfig = {
+          Local = "129.199.146.230";
+          Remote = "216.66.84.42";
+        };
+      };
+      "50-tun-mwan" = {
+        netdevConfig = {
+          Kind = "gre";
+          Name = "gre-mwan";
+          MTUBytes = "1480";
+        };
+        tunnelConfig = {
+          Local = "129.199.146.230";
+          Remote = "80.67.167.30";
+        };
+      };
+      "60-vlan-nat" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = "vlan-nat";
+        };
+        vlanConfig.Id = 2510;
+      };
+      "60-vlan-he" = {
+        netdevConfig = {
+          Kind = "vlan";
+          Name = "vlan-he";
+        };
+        vlanConfig.Id = 2530;
+      };
     };
   };
+  networking = {
+    nftables = {
+      enable = true;
+      tables.nat = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority 100;
+            ip saddr 10.3.161.0/24 snat to 129.199.146.230;
+          }
+        '';
+      };
+    };
+    firewall = {
+      allowedUDPPorts = [ 67 ];
+      extraInputRules = ''
+        ip protocol gre ip saddr 80.67.167.30 accept;
+        '';
+    };
+  };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+  };
+
 }