From 411795c664374549e5e831722a80180b51fbf0d5 Mon Sep 17 00:00:00 2001 From: catvayor Date: Fri, 31 May 2024 20:29:53 +0200 Subject: [PATCH] fix(routing): clean icmp storm --- machines/vault01/networking.nix | 18 +++++++++++++++--- meta/network.nix | 12 +----------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index ad1ffe0..db31c60 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -116,7 +116,16 @@ let vlan-admin-ap = { Id = 3001; - address = [ "fd26:baf9:d250:8010::1/60" ]; + address = [ "fd26:baf9:d250:8001::1/64" ]; + extraNetwork.ipv6Prefixes = [ + { + ipv6PrefixConfig = { + AddressAutoconfiguration = false; + OnLink = false; + Prefix = "fd26:baf9:d250:8001::/64"; + }; + } + ]; }; vlan-apro = { @@ -229,12 +238,15 @@ in content = '' chain postrouting { type nat hook postrouting priority 100; - snat ip to 129.199.195.130-129.199.195.158 + ip saddr 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.158 } ''; }; }; - firewall.allowedUDPPorts = [ 67 ]; + firewall = { + allowedUDPPorts = [ 67 ]; + checkReversePath = false; + }; }; boot.kernel.sysctl."net.ipv4.ip_forward" = true; diff --git a/meta/network.nix b/meta/network.nix index 91da1cb..d4ce6c2 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -98,17 +98,7 @@ { # see also machines/vault01/networking.nix address = "129.199.195.129"; - prefixLength = 27; - } - ]; - gateways = [ ]; - enableDefaultDNS = true; - }; - enp130s0f0 = { - ipv4 = [ - { - address = "192.168.42.7"; - prefixLength = 24; + prefixLength = 32; } ]; gateways = [ ];