{config, lib, pkgs, ...}: {
  boot.kernel.sysctl = {
    "net.ipv4.conf.all.forwarding" = true;
    "net.ipv6.conf.all.forwarding" = true;
  };
  networking = {
    interfaces = {
      # wan wifi
      wlo1.useDHCP = true;

      # cri
      enp1s0.useDHCP = true;

      # HPE
      enp2s0 = {
        useDHCP = false;
        ipv4.addresses = [{
          address = "129.199.156.112";
          prefixLength = 32;
        }];
        mtu = 9000;
      };

      # thurne
      enp3s0 = {
        useDHCP = false;
        ipv4.addresses = [{
          address = "192.168.42.1";
          prefixLength = 24;
        }];
        mtu = 9000;
      };
    };

    nat = {
      enable = true;
      extraCommands = ''
        iptables -t nat -A POSTROUTING -o wlo1 -j MASQUERADE
        iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
      '';
    };
    firewall = {
      enable = true;
      extraCommands = ''
        iptables -A FORWARD -i enp3s0 -o wlo1 -j ACCEPT
        iptables -A FORWARD -i wlo1 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

        iptables -A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT
        iptables -A FORWARD -i enp1s0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

        iptables -A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT
        iptables -A FORWARD -i enp1s0 -o enp2s0 -j ACCEPT
      '';
    };
  };
  services.dnsmasq = {
    enable = true;
    settings = {
      interface = [ "enp2s0" "enp3s0" ];
      bind-dynamic = true;
      dhcp-option = "3,0.0.0.0";
      dhcp-range = "192.168.42.2,192.168.42.254,255.255.255.0,12h";
      # dhcp-host = "a8:b1:3b:75:6f:92,129.199.224.96";
    };
  };
}