From 3b8189ad5bb87df9794e368a22973749b61c0f1c Mon Sep 17 00:00:00 2001 From: sinavir Date: Tue, 29 Oct 2024 06:59:21 +0100 Subject: [PATCH] feat(router02): mwan transit, nat64, siit Drop ens nat, nat64 is provided by mwan --- machines/router02/networking.nix | 174 +++++++++++++++++++++++-------- meta/nodes.nix | 2 +- 2 files changed, 134 insertions(+), 42 deletions(-) diff --git a/machines/router02/networking.nix b/machines/router02/networking.nix index f7b1d46..2f68051 100644 --- a/machines/router02/networking.nix +++ b/machines/router02/networking.nix @@ -2,6 +2,7 @@ systemd.network = { config.routeTables = { he = 100; + mwan = 110; }; networks = { "10-ens18" = { @@ -26,8 +27,8 @@ Description = "Lan bridge"; }; vlan = [ - "vlan-nat" - "vlan-he" + "vlan-mwan-siit" + "vlan-he-dmz" ]; }; "50-tun-he" = { @@ -60,6 +61,12 @@ Table = "he"; }; } + { + routingPolicyRuleConfig = { + To = "2001:470:1f13:187::/64"; + Table = "he"; + }; + } ]; }; "50-tun-mwan" = { @@ -69,23 +76,104 @@ Address = [ "10.1.1.50/30" "2a0b:cbc0:1::216/126" + "2a0e:e701:1120::1/64" ]; ConfigureWithoutCarrier = true; }; + routes = [ + { + routeConfig = { + Gateway = "2a0b:cbc0:1::215"; + PreferredSource = "2a0e:e701:1120::1"; + }; + } + { + # Local route + routeConfig = { + Table = "mwan"; + Destination = "2a0e:e701:1120::/64"; + }; + } + { + # Default unreachable route for unattributed prefixes of our /48 + routeConfig = { + Table = "mwan"; + Metric = 9999; + Destination = "2a0e:e701:1120::/48"; + Type = "unreachable"; + }; + } + { + routeConfig = { + Table = "mwan"; + Gateway = "2a0b:cbc0:1::215"; + PreferredSource = "2a0e:e701:1120::1"; + }; + } + # IPv4 + { + routeConfig = { + Scope = "global"; + Table = "mwan"; + Gateway = "10.1.1.49"; + }; + } + ]; + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + From = "45.13.104.24/29"; + Table = "mwan"; + }; + } + { + routingPolicyRuleConfig = { + To = "45.13.104.24/29"; + Table = "mwan"; + }; + } + { + routingPolicyRuleConfig = { + From = "2a0e:e701:1120::/48"; + Table = "mwan"; + }; + } + { + routingPolicyRuleConfig = { + To = "2a0e:e701:1120::/48"; + Table = "mwan"; + }; + } + ]; }; - "60-vlan-nat" = { - name = "vlan-nat"; + "60-vlan-mwan-siit" = { + name = "vlan-mwan-siit"; networkConfig = { - Description = "Nat IPv4 vers renater"; - Address = [ "10.3.161.1/24" ]; - DHCPServer = true; + Description = "SIIT-DC vers MilkyWAN"; + Address = [ "2a0e:e701:1120:1000::1/64" ]; + IPv6SendRA = "yes"; }; - dhcpServerConfig = { - PoolOffset = 50; + ipv6SendRAConfig = { + DNS = [ "2a0e:e701:1120:1000::f:1" ]; }; + ipv6Prefixes = [ + { + ipv6PrefixConfig = { + Prefix = "2a0e:e701:1120:1000::/64"; + }; + } + ]; + routes = [ + { + routeConfig = { + Table = "mwan"; + Destination = "2a0e:e701:1120:1000::/64"; + }; + } + ]; }; - "60-vlan-he" = { - name = "vlan-he"; + "60-vlan-he-dmz" = { + name = "vlan-he-dmz"; networkConfig = { Description = "HE DMZ VLAN"; Address = [ "2001:470:1f13:187::1/64" ]; @@ -107,17 +195,7 @@ }; } ]; - routingPolicyRules = [ - { - routingPolicyRuleConfig = { - To = "2001:470:1f13:187::/64"; - Table = "he"; - }; - } - ]; - }; - }; netdevs = { "50-tun-he" = { @@ -141,40 +219,55 @@ Remote = "80.67.167.30"; }; }; - "60-vlan-nat" = { + "60-vlan-mwan-siit" = { netdevConfig = { Kind = "vlan"; - Name = "vlan-nat"; + Name = "vlan-mwan-siit"; }; - vlanConfig.Id = 2510; + vlanConfig.Id = 2520; }; - "60-vlan-he" = { + "60-vlan-he-dmz" = { netdevConfig = { Kind = "vlan"; - Name = "vlan-he"; + Name = "vlan-he-dmz"; }; vlanConfig.Id = 2530; }; }; }; networking = { - nftables = { - enable = true; - tables.nat = { - family = "ip"; - content = '' - chain postrouting { - type nat hook postrouting priority 100; - ip saddr 10.3.161.0/24 snat to 129.199.146.230; - } - ''; - }; - }; firewall = { - allowedUDPPorts = [ 67 ]; + allowedUDPPorts = [ + 67 + 53 + ]; extraInputRules = '' ip protocol gre ip saddr 80.67.167.30 accept; - ''; + ''; + logReversePathDrops = true; + checkReversePath = "loose"; + }; + }; + networking.jool = { + enable = true; + siit.siitdefault = { + global = { + manually-enabled = true; + pool6 = "2a0e:e701:1120:ffff::/96"; + rfc6791v4-prefix = "10.243.0.0/24"; + randomize-rfc6791-addresses = false; + lowest-ipv6-mtu = 1500; + logging-debug = true; + }; + eamt = [ + { + "ipv4 prefix" = "45.13.104.24/29"; + "ipv6 prefix" = "2a0e:e701:1120:1000:ffff::45.13.104.24/125"; + } + ]; + denylist4 = [ + "129.199.146.230/32" # ENS + ]; }; }; @@ -182,5 +275,4 @@ "net.ipv4.ip_forward" = true; "net.ipv6.conf.all.forwarding" = true; }; - } diff --git a/meta/nodes.nix b/meta/nodes.nix index e8d3526..30b4c7f 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -34,6 +34,6 @@ hashedPassword = "$y$j9T$aFhOWa05W7VKeKt3Nc.nA1$uBOvG4wf7/yWjwOxO8NLf9ipCsAkS1.5cD2EJpLx57A"; stateVersion = "24.05"; - nixpkgs = "24.05"; + nixpkgs = "unstable"; }; }