forked from DGNum/liminix
example config for ppoe router
hard cases make bad law
This commit is contained in:
parent
c37332910a
commit
fe1b33f307
2 changed files with 231 additions and 0 deletions
16
nat.nft
Normal file
16
nat.nft
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
#!/usr/bin/nft -f
|
||||||
|
|
||||||
|
flush ruleset
|
||||||
|
|
||||||
|
table ip nat {
|
||||||
|
chain prerouting {
|
||||||
|
type nat hook prerouting priority 0; policy accept;
|
||||||
|
}
|
||||||
|
|
||||||
|
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
|
||||||
|
chain postrouting {
|
||||||
|
type nat hook postrouting priority 100; policy accept;
|
||||||
|
oifname "ppp0" masquerade
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
215
rotuer.nix
Normal file
215
rotuer.nix
Normal file
|
@ -0,0 +1,215 @@
|
||||||
|
# This is not part of Liminix per se. This is my "scratchpad"
|
||||||
|
# configuration for the device I'm testing with.
|
||||||
|
#
|
||||||
|
# Parts of it do do things that Liminix eventually needs to do, but
|
||||||
|
# don't look in here for solutions - just for identifying the
|
||||||
|
# problems.
|
||||||
|
|
||||||
|
|
||||||
|
{ config, pkgs, lib, ... } :
|
||||||
|
let
|
||||||
|
secrets = import ./rotuer-secrets.nix;
|
||||||
|
inherit (pkgs.liminix.networking)
|
||||||
|
address
|
||||||
|
bridge
|
||||||
|
dnsmasq
|
||||||
|
hostapd
|
||||||
|
interface
|
||||||
|
pppoe
|
||||||
|
route;
|
||||||
|
inherit (pkgs.liminix.services) oneshot longrun bundle target;
|
||||||
|
inherit (pkgs)
|
||||||
|
waitup
|
||||||
|
serviceFns
|
||||||
|
iptables;
|
||||||
|
in rec {
|
||||||
|
services.loopback =
|
||||||
|
let iface = interface { type = "loopback"; device = "lo";};
|
||||||
|
in bundle {
|
||||||
|
name = "loopback";
|
||||||
|
contents = [
|
||||||
|
(address iface { family = "inet4"; address ="127.0.0.1"; prefixLength = 8;})
|
||||||
|
(address iface { family = "inet6"; address ="::1"; prefixLength = 128;})
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
boot = {
|
||||||
|
tftp = {
|
||||||
|
enable = true;
|
||||||
|
serverip = "10.0.0.1";
|
||||||
|
ipaddr = "10.0.0.8";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
./modules/wlan.nix
|
||||||
|
./modules/phram.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
kernel = {
|
||||||
|
config = {
|
||||||
|
PPP = "y";
|
||||||
|
PPP_BSDCOMP = "y";
|
||||||
|
PPP_DEFLATE = "y";
|
||||||
|
PPP_ASYNC = "y";
|
||||||
|
PPP_SYNC_TTY = "y";
|
||||||
|
BRIDGE = "y";
|
||||||
|
|
||||||
|
NETFILTER_XT_MATCH_CONNTRACK = "y";
|
||||||
|
|
||||||
|
IP6_NF_IPTABLES= "y";
|
||||||
|
IP_NF_IPTABLES= "y";
|
||||||
|
IP_NF_NAT = "y";
|
||||||
|
IP_NF_TARGET_MASQUERADE = "y";
|
||||||
|
NETFILTER = "y";
|
||||||
|
NETFILTER_ADVANCED = "y";
|
||||||
|
NETFILTER_XTABLES = "y";
|
||||||
|
|
||||||
|
NFT_COMPAT = "y";
|
||||||
|
NFT_CT = "y";
|
||||||
|
NFT_LOG = "y";
|
||||||
|
NFT_MASQ = "y";
|
||||||
|
NFT_NAT = "y";
|
||||||
|
NFT_REJECT = "y";
|
||||||
|
NFT_REJECT_INET = "y";
|
||||||
|
|
||||||
|
NF_CONNTRACK = "y";
|
||||||
|
NF_NAT = "y";
|
||||||
|
NF_NAT_MASQUERADE = "y";
|
||||||
|
NF_TABLES= "y";
|
||||||
|
NF_TABLES_INET = "y";
|
||||||
|
NF_TABLES_IPV4 = "y";
|
||||||
|
NF_TABLES_IPV6 = "y";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.lan =
|
||||||
|
let iface = interface {
|
||||||
|
type = "bridge";
|
||||||
|
device = "lan";
|
||||||
|
};
|
||||||
|
in address iface {
|
||||||
|
family = "inet4"; address ="10.8.0.1"; prefixLength = 16;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.wireless = interface {
|
||||||
|
type = "hardware";
|
||||||
|
device = "wlan0";
|
||||||
|
dependencies = [ config.services.wlan_module ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.wired = interface {
|
||||||
|
type = "hardware";
|
||||||
|
device = "eth0";
|
||||||
|
primary = services.lan;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.hostap = hostapd (services.wireless) {
|
||||||
|
params = {
|
||||||
|
ssid = "liminix";
|
||||||
|
country_code = "GB";
|
||||||
|
hw_mode="g";
|
||||||
|
channel = "2";
|
||||||
|
wmm_enabled = 1;
|
||||||
|
ieee80211n = 1;
|
||||||
|
inherit (secrets) wpa_passphrase;
|
||||||
|
auth_algs = 1; # 1=wpa2, 2=wep, 3=both
|
||||||
|
wpa = 2; # 1=wpa, 2=wpa2, 3=both
|
||||||
|
wpa_key_mgmt = "WPA-PSK";
|
||||||
|
wpa_pairwise = "TKIP CCMP"; # auth for wpa (may not need this?)
|
||||||
|
rsn_pairwise = "CCMP"; # auth for wpa2
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.bridgewlan =
|
||||||
|
let waitup-wlan = longrun {
|
||||||
|
name = "waitup-wlan0";
|
||||||
|
run = "${waitup}/bin/waitup wlan0 10";
|
||||||
|
notification-fd = 10;
|
||||||
|
dependencies = [ services.wireless services.hostap ];
|
||||||
|
};
|
||||||
|
in oneshot {
|
||||||
|
name = "add-wlan-to-bridge";
|
||||||
|
up = "ip link set dev ${services.wireless.device} master ${services.lan.device}";
|
||||||
|
down = "ip link set dev ${services.wireless.device} nomaster";
|
||||||
|
dependencies = [ waitup-wlan ];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.dnsmasq = {
|
||||||
|
uid = 51; gid= 51; gecos = "DNS/DHCP service user";
|
||||||
|
dir = "/run/dnsmasq";
|
||||||
|
shell = "/bin/false";
|
||||||
|
};
|
||||||
|
groups.dnsmasq = {
|
||||||
|
gid = 51; usernames = ["dnsmasq"];
|
||||||
|
};
|
||||||
|
groups.system.usernames = ["dnsmasq"];
|
||||||
|
|
||||||
|
services.dns =
|
||||||
|
dnsmasq {
|
||||||
|
resolvconf = services.resolvconf;
|
||||||
|
interface = services.lan;
|
||||||
|
ranges = ["10.8.0.10,10.8.0.240"];
|
||||||
|
domain = "fake.liminix.org";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.wan =
|
||||||
|
let iface = interface { type = "hardware"; device = "eth1"; };
|
||||||
|
in pppoe iface {
|
||||||
|
ppp-options = [
|
||||||
|
"debug" "+ipv6" "noauth"
|
||||||
|
"name" secrets.l2tp.name
|
||||||
|
"password" secrets.l2tp.password
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.resolvconf = oneshot rec {
|
||||||
|
dependencies = [ services.wan ];
|
||||||
|
name = "resolvconf";
|
||||||
|
up = ''
|
||||||
|
. ${serviceFns}
|
||||||
|
( cd `mkoutputs ${name}`; umask 0027
|
||||||
|
echo "nameserver $(output ${services.wan} ns1)" > resolv.conf
|
||||||
|
echo "nameserver $(output ${services.wan} ns2)" >> resolv.conf
|
||||||
|
)
|
||||||
|
'';
|
||||||
|
down = ''
|
||||||
|
rm -rf /run/service-state/${name}/
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.defaultroute4 = route {
|
||||||
|
name = "defaultroute";
|
||||||
|
via = "$(output ${services.wan} address)";
|
||||||
|
target = "default";
|
||||||
|
dependencies = [ services.wan ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.packet_forwarding =
|
||||||
|
let filename = "/proc/sys/net/ipv4/conf/all/forwarding";
|
||||||
|
in oneshot {
|
||||||
|
name = "let-the-ip-flow";
|
||||||
|
up = ''
|
||||||
|
${pkgs.nftables}/bin/nft -f ${./nat.nft}
|
||||||
|
echo 1 > ${filename}
|
||||||
|
'';
|
||||||
|
down = "echo 0 > ${filename}";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.default = target {
|
||||||
|
name = "default";
|
||||||
|
contents = with services; [
|
||||||
|
loopback
|
||||||
|
wired
|
||||||
|
wireless
|
||||||
|
lan
|
||||||
|
hostap
|
||||||
|
defaultroute4
|
||||||
|
packet_forwarding
|
||||||
|
dns
|
||||||
|
bridgewlan
|
||||||
|
resolvconf
|
||||||
|
];
|
||||||
|
};
|
||||||
|
defaultProfile.packages = with pkgs; [ nftables strace tcpdump ] ;
|
||||||
|
}
|
Loading…
Reference in a new issue