{ systemd.network = { config.routeTables = { he = 100; mwan = 110; }; networks = { "10-ens18" = { name = "ens18"; networkConfig = { Description = "ENS uplink"; Address = [ "129.199.146.231/24" "129.199.146.230/24" ]; Gateway = "129.199.146.254"; LLDP = true; # Only to the switch we are connected to directly, e.g. the hypervisor or the switch. EmitLLDP = "nearest-bridge"; Tunnel = [ "gre-mwan" "sit-he" ]; }; }; "10-ens19" = { name = "ens19"; networkConfig = { Description = "Lan bridge"; }; vlan = [ "vlan-mwan-siit" "vlan-he-dmz" ]; }; "50-tun-he" = { name = "sit-he"; networkConfig = { Description = "HE.NET IPv6 Tunnel (maurice)"; Address = [ "2001:470:1f12:2b::2/64" ]; ConfigureWithoutCarrier = true; }; routes = [ { Destination = "::/0"; Table = "he"; Scope = "global"; } { # Use HE tunnel for router trafic as well Destination = "::/0"; Scope = "global"; } ]; routingPolicyRules = [ { routingPolicyRuleConfig = { From = "2001:470:1f13:2b::/64"; Table = "he"; }; } { routingPolicyRuleConfig = { To = "2001:470:1f13:2b::/64"; Table = "he"; }; } ]; }; "50-tun-mwan" = { name = "gre-mwan"; networkConfig = { Description = "Tunnel de livraison GRE IPv4/IPv6 de MilkyWAN"; Address = [ "10.1.1.50/30" "2a0b:cbc0:1::216/126" "2a0e:e701:1120::1/64" ]; ConfigureWithoutCarrier = true; }; routes = [ { Gateway = "2a0b:cbc0:1::215"; PreferredSource = "2a0e:e701:1120::1"; } { # Local route Table = "mwan"; Destination = "2a0e:e701:1120::/64"; } { # Default unreachable route for unattributed prefixes of our /48 Table = "mwan"; Metric = 9999; Destination = "2a0e:e701:1120::/48"; Type = "unreachable"; } { Table = "mwan"; Gateway = "2a0b:cbc0:1::215"; PreferredSource = "2a0e:e701:1120::1"; } # IPv4 { Scope = "global"; Table = "mwan"; Gateway = "10.1.1.49"; } ]; routingPolicyRules = [ { routingPolicyRuleConfig = { From = "45.13.104.24/29"; Table = "mwan"; }; } { routingPolicyRuleConfig = { To = "45.13.104.24/29"; Table = "mwan"; }; } { routingPolicyRuleConfig = { From = "2a0e:e701:1120::/48"; Table = "mwan"; }; } { routingPolicyRuleConfig = { To = "2a0e:e701:1120::/48"; Table = "mwan"; }; } ]; }; "60-vlan-mwan-siit" = { name = "vlan-mwan-siit"; networkConfig = { Description = "SIIT-DC vers MilkyWAN"; Address = [ "2a0e:e701:1120:1000::1/64" ]; IPv6SendRA = "yes"; }; ipv6SendRAConfig = { DNS = [ "2a0e:e701:1120:1000::f:1" ]; }; ipv6Prefixes = [ { ipv6PrefixConfig = { Prefix = "2a0e:e701:1120:1000::/64"; }; } ]; routes = [ { Table = "mwan"; Destination = "2a0e:e701:1120:1000::/64"; } ]; }; "60-vlan-he-dmz" = { name = "vlan-he-dmz"; networkConfig = { Description = "HE DMZ VLAN"; Address = [ "2001:470:1f13:2b::1/64" ]; IPv6SendRA = "yes"; }; ipv6Prefixes = [ { ipv6PrefixConfig = { Prefix = "2001:470:1f13:2b::0/64"; }; } ]; routes = [ { Table = "he"; Scope = "global"; Destination = "2001:470:1f13:2b::/64"; } ]; }; }; netdevs = { "50-tun-he" = { netdevConfig = { Kind = "sit"; Name = "sit-he"; }; tunnelConfig = { Local = "129.199.146.231"; Remote = "216.66.84.42"; }; }; "50-tun-mwan" = { netdevConfig = { Kind = "gre"; Name = "gre-mwan"; MTUBytes = "1480"; }; tunnelConfig = { Local = "129.199.146.230"; Remote = "80.67.167.30"; }; }; "60-vlan-mwan-siit" = { netdevConfig = { Kind = "vlan"; Name = "vlan-mwan-siit"; }; vlanConfig.Id = 2520; }; "60-vlan-he-dmz" = { netdevConfig = { Kind = "vlan"; Name = "vlan-he-dmz"; }; vlanConfig.Id = 2530; }; }; }; networking = { firewall = { allowedUDPPorts = [ 67 53 ]; extraInputRules = '' ip protocol gre ip saddr 80.67.167.30 accept; ''; logReversePathDrops = true; checkReversePath = "loose"; }; }; networking.jool = { enable = true; siit.siitdefault = { global = { manually-enabled = true; pool6 = "2a0e:e701:1120:ffff::/96"; rfc6791v4-prefix = "10.243.0.0/24"; randomize-rfc6791-addresses = false; lowest-ipv6-mtu = 1500; logging-debug = true; }; eamt = [ { "ipv4 prefix" = "45.13.104.24/29"; "ipv6 prefix" = "2a0e:e701:1120:1000:ffff::45.13.104.24/125"; } ]; denylist4 = [ "129.199.146.230/32" # ENS ]; }; }; boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; "net.ipv6.conf.all.forwarding" = true; }; }