diff --git a/hosts/h003/flake.nix b/hosts/h003/flake.nix index b2c4089..7b15b5d 100644 --- a/hosts/h003/flake.nix +++ b/hosts/h003/flake.nix @@ -29,7 +29,7 @@ ros_neovim.nixosModules.default ./configuration.nix ./hardware-configuration.nix - # ./networking.nix + ./networking.nix ( { config, pkgs, ... }: { diff --git a/hosts/h003/hardware-configuration.nix b/hosts/h003/hardware-configuration.nix index a5ecaa8..5d4ee1c 100644 --- a/hosts/h003/hardware-configuration.nix +++ b/hosts/h003/hardware-configuration.nix @@ -85,7 +85,7 @@ # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; + # networking.useDHCP = lib.mkDefault true; # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; diff --git a/hosts/h003/networking.nix b/hosts/h003/networking.nix index 8bc5cbb..106fb8b 100644 --- a/hosts/h003/networking.nix +++ b/hosts/h003/networking.nix @@ -26,15 +26,24 @@ vlan10 = { id = 10; interface = "bond0"; + # interface = "enp1s0"; }; vlan20 = { id = 20; interface = "bond0"; + # interface = "enp1s0"; + }; + vlan1 = { + id = 1; + interface = "bond0"; + # interface = "enp1s0"; }; }; - # Interface configuration + # enable ipv6 or not enableIPv6 = false; + + # Interface configuration interfaces = { # WAN interface (VLAN 10 - to modem) vlan10 = { @@ -57,44 +66,80 @@ } ]; }; - }; - # Enable IP forwarding for routing - firewall = { - enable = true; - interfaces = { - # WAN interface - allow nothing inbound by default - vlan10 = { - allowedTCPPorts = [ ]; - allowedUDPPorts = [ ]; - }; - vlan20 = { - allowedTCPPorts = [ - 53 - 67 - 68 - 80 - 443 - ]; - allowedUDPPorts = [ - 53 - 67 - 68 - 546 - 547 - ]; - }; - }; + vlan1.ipv4.addresses = [ + { + address = "192.168.0.2"; # Management network + prefixLength = 24; + } + ]; }; # NAT configuration nat = { enable = true; externalInterface = "vlan10"; # WAN - internalInterfaces = [ "vlan20" ]; # LAN + internalInterfaces = [ + "vlan20" + "vlan1" + ]; # LAN enableIPv6 = lib.mkIf config.networking.enableIPv6 true; # Enable IPv6 NAT }; + # Enable IP forwarding for routing + firewall = { + enable = true; + allowPing = true; # For ddiagnostics + + trustedInterfaces = [ + "vlan20" # Allow all on LAN + "vlan1" # Allow all on management + ]; + + interfaces = { + # WAN interface - allow nothing inbound by default + vlan10 = { + # Block all WAN + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; + }; + + # # LAN interface (VLAN 20) - FULL SERVICE + # vlan20 = { + # allowedTCPPorts = [ + # 22 # SSH (if you want to SSH to your router from LAN devices) + # 53 # DNS queries + # 80 # HTTP (for local web services) + # 443 # HTTPS (for local web services) + # # Add other services you run locally (Plex, Home Assistant, etc.) + # ]; + # allowedUDPPorts = [ + # 53 # DNS queries + # 67 # DHCP server (dnsmasq) + # 68 # DHCP client responses + # # 123 # NTP (if you run a time server) + # ]; + # }; + # + # # Management interface (VLAN 1) - LIMITED SERVICE + # vlan1 = { + # allowedTCPPorts = [ + # 22 # SSH (for remote admin access) + # 53 # DNS + # 80 # HTTP (to access switch web interface through the router) + # 443 + # # HTTPS + # ]; + # allowedUDPPorts = [ + # 53 # DNS + # 67 # DHCP server + # 68 + # # DHCP client + # ]; + # }; + }; + }; + # example of port forwarding # nat.forwardPorts = [ # { @@ -111,30 +156,34 @@ alwaysKeepRunning = true; settings = { # Listen only on LAN interface - interface = "vlan20"; + interface = [ + "vlan20" + "vlan1" + ]; bind-interfaces = true; # DHCP range and settings dhcp-range = [ - "10.12.14.100,10.12.14.200,24h" + "10.12.14.100,10.12.14.200,24h" # LAN devices + "192.168.0.10,192.168.0.50,24h" # Management devices ] ++ lib.optionals config.networking.enableIPv6 [ # IPv6 DHCP range "fd12:14::100,fd12:14::200,64,24h" ]; - dhcp-option = [ - "option:router,10.12.14.1" - "option:dns-server,1.1.1.1,8.8.8.8" - # "option:dns-server10.12.14.??" # Point to AdGuard, - ]; + # dhcp-option = [ + # "option:router,10.12.14.1" + # "option:dns-server,10.12.14.1,1.1.1.1,8.8.8.8" + # ]; # Static DHCP reservations dhcp-host = [ - "00:BE:43:B9:F4:E0,H001,10.12.14.2" - "C8:C9:A3:2B:7B:19,PRUSA-MK4,10.12.14.108" - "24:E8:53:73:A3:C6,LGWEBOSTV,10.12.14.128" - "2C:CF:67:6A:45:47,HOMEASSISTANT,10.12.14.106" - "2A:D0:EC:FA:B9:7E,PIXEL-6,10.12.14.115" + "00:BE:43:B9:F4:E0,H001,10.12.14.10" + # TODO add H002 for .11 + "C8:C9:A3:2B:7B:19,PRUSA-MK4,10.12.14.21" + "24:E8:53:73:A3:C6,LGWEBOSTV,10.12.14.30" + "2C:CF:67:6A:45:47,HOMEASSISTANT,10.12.14.22" + "2A:D0:EC:FA:B9:7E,PIXEL-6,10.12.14.31" ]; enable-ra = lib.mkIf config.networking.enableIPv6 true; @@ -145,8 +194,8 @@ # TODO ad guard "1.1.1.1" "8.8.8.8" - "2606:4700:4700::1111" # Cloudflare IPv6 - "2001:4860:4860::8888" # Google IPv6 + "2606:4700:4700::1111" # Cloudflare IPv6 + "2001:4860:4860::8888" # Google IPv6 ]; }; };