wip networking

hosts/h003/flake.nix

@@ -29,7 +29,7 @@
               ros_neovim.nixosModules.default
               ./configuration.nix
               ./hardware-configuration.nix
-              # ./networking.nix
+              ./networking.nix
               (
                 { config, pkgs, ... }:
                 {

hosts/h003/hardware-configuration.nix

@@ -85,7 +85,7 @@
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
+  # networking.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
   # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;

hosts/h003/networking.nix

@@ -26,15 +26,24 @@
       vlan10 = {
         id = 10;
         interface = "bond0";
+        # interface = "enp1s0";
       };
       vlan20 = {
         id = 20;
         interface = "bond0";
+        # interface = "enp1s0";
+      };
+      vlan1 = {
+        id = 1;
+        interface = "bond0";
+        # interface = "enp1s0";
       };
     };
 
-    # Interface configuration
+    # enable ipv6 or not
     enableIPv6 = false;
+
+    # Interface configuration
     interfaces = {
       # WAN interface (VLAN 10 - to modem)
       vlan10 = {
@@ -57,44 +66,80 @@
           }
         ];
       };
-    };
 
-    # Enable IP forwarding for routing
+      vlan1.ipv4.addresses = [
-    firewall = {
+        {
-      enable = true;
+          address = "192.168.0.2"; # Management network
-      interfaces = {
+          prefixLength = 24;
-        # WAN interface - allow nothing inbound by default
+        }
-        vlan10 = {
+      ];
-          allowedTCPPorts = [ ];
-          allowedUDPPorts = [ ];
-        };
-        vlan20 = {
-          allowedTCPPorts = [
-            53
-            67
-            68
-            80
-            443
-          ];
-          allowedUDPPorts = [
-            53
-            67
-            68
-            546
-            547
-          ];
-        };
-      };
     };
 
     # NAT configuration
     nat = {
       enable = true;
       externalInterface = "vlan10"; # WAN
-      internalInterfaces = [ "vlan20" ]; # LAN
+      internalInterfaces = [
+        "vlan20"
+        "vlan1"
+      ]; # LAN
       enableIPv6 = lib.mkIf config.networking.enableIPv6 true; # Enable IPv6 NAT
     };
 
+    # Enable IP forwarding for routing
+    firewall = {
+      enable = true;
+      allowPing = true; # For ddiagnostics
+
+      trustedInterfaces = [
+        "vlan20" # Allow all on LAN
+        "vlan1" # Allow all on management
+      ];
+
+      interfaces = {
+        # WAN interface - allow nothing inbound by default
+        vlan10 = {
+          # Block all WAN
+          allowedTCPPorts = [ ];
+          allowedUDPPorts = [ ];
+        };
+
+        # # LAN interface (VLAN 20) - FULL SERVICE
+        # vlan20 = {
+        #   allowedTCPPorts = [
+        #     22 # SSH (if you want to SSH to your router from LAN devices)
+        #     53 # DNS queries
+        #     80 # HTTP (for local web services)
+        #     443 # HTTPS (for local web services)
+        #     # Add other services you run locally (Plex, Home Assistant, etc.)
+        #   ];
+        #   allowedUDPPorts = [
+        #     53 # DNS queries
+        #     67 # DHCP server (dnsmasq)
+        #     68 # DHCP client responses
+        #     # 123 # NTP (if you run a time server)
+        #   ];
+        # };
+        #
+        # # Management interface (VLAN 1) - LIMITED SERVICE
+        # vlan1 = {
+        #   allowedTCPPorts = [
+        #     22 # SSH (for remote admin access)
+        #     53 # DNS
+        #     80 # HTTP (to access switch web interface through the router)
+        #     443
+        #     # HTTPS
+        #   ];
+        #   allowedUDPPorts = [
+        #     53 # DNS
+        #     67 # DHCP server
+        #     68
+        #     # DHCP client
+        #   ];
+        # };
+      };
+    };
+
     # example of port forwarding
     # nat.forwardPorts = [
     #   {
@@ -111,30 +156,34 @@
     alwaysKeepRunning = true;
     settings = {
       # Listen only on LAN interface
-      interface = "vlan20";
+      interface = [
+        "vlan20"
+        "vlan1"
+      ];
       bind-interfaces = true;
 
       # DHCP range and settings
       dhcp-range = [
-        "10.12.14.100,10.12.14.200,24h"
+        "10.12.14.100,10.12.14.200,24h" # LAN devices
+        "192.168.0.10,192.168.0.50,24h" # Management devices
       ]
       ++ lib.optionals config.networking.enableIPv6 [
         # IPv6 DHCP range
         "fd12:14::100,fd12:14::200,64,24h"
       ];
-      dhcp-option = [
+      # dhcp-option = [
-        "option:router,10.12.14.1"
+      #   "option:router,10.12.14.1"
-        "option:dns-server,1.1.1.1,8.8.8.8"
+      #   "option:dns-server,10.12.14.1,1.1.1.1,8.8.8.8"
-        # "option:dns-server10.12.14.??"  # Point to AdGuard,
+      # ];
-      ];
 
       # Static DHCP reservations
       dhcp-host = [
-        "00:BE:43:B9:F4:E0,H001,10.12.14.2"
+        "00:BE:43:B9:F4:E0,H001,10.12.14.10"
-        "C8:C9:A3:2B:7B:19,PRUSA-MK4,10.12.14.108"
+        # TODO add H002 for .11
-        "24:E8:53:73:A3:C6,LGWEBOSTV,10.12.14.128"
+        "C8:C9:A3:2B:7B:19,PRUSA-MK4,10.12.14.21"
-        "2C:CF:67:6A:45:47,HOMEASSISTANT,10.12.14.106"
+        "24:E8:53:73:A3:C6,LGWEBOSTV,10.12.14.30"
-        "2A:D0:EC:FA:B9:7E,PIXEL-6,10.12.14.115"
+        "2C:CF:67:6A:45:47,HOMEASSISTANT,10.12.14.22"
+        "2A:D0:EC:FA:B9:7E,PIXEL-6,10.12.14.31"
       ];
 
       enable-ra = lib.mkIf config.networking.enableIPv6 true;
@@ -145,8 +194,8 @@
         # TODO ad guard
         "1.1.1.1"
         "8.8.8.8"
-        "2606:4700:4700::1111"  # Cloudflare IPv6
+        "2606:4700:4700::1111" # Cloudflare IPv6
-        "2001:4860:4860::8888"  # Google IPv6
+        "2001:4860:4860::8888" # Google IPv6
       ];
     };
   };