diff --git a/hosts/h003/flake.nix b/hosts/h003/flake.nix index 7b15b5d..b2c4089 100644 --- a/hosts/h003/flake.nix +++ b/hosts/h003/flake.nix @@ -29,7 +29,7 @@ ros_neovim.nixosModules.default ./configuration.nix ./hardware-configuration.nix - ./networking.nix + # ./networking.nix ( { config, pkgs, ... }: { diff --git a/hosts/h003/hardware-configuration.nix b/hosts/h003/hardware-configuration.nix index 5d4ee1c..a5ecaa8 100644 --- a/hosts/h003/hardware-configuration.nix +++ b/hosts/h003/hardware-configuration.nix @@ -85,7 +85,7 @@ # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; + networking.useDHCP = lib.mkDefault true; # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; diff --git a/hosts/h003/networking.nix b/hosts/h003/networking.nix index aac021e..8bc5cbb 100644 --- a/hosts/h003/networking.nix +++ b/hosts/h003/networking.nix @@ -1,5 +1,6 @@ { config, + pkgs, lib, ... }: @@ -30,16 +31,10 @@ id = 20; interface = "bond0"; }; - vlan1 = { - id = 1; - interface = "bond0"; - }; }; - # enable ipv6 or not - enableIPv6 = true; - # Interface configuration + enableIPv6 = false; interfaces = { # WAN interface (VLAN 10 - to modem) vlan10 = { @@ -62,90 +57,44 @@ } ]; }; + }; - vlan1.ipv4.addresses = [ - { - address = "192.168.0.2"; # Management network - prefixLength = 24; - } - ]; + # Enable IP forwarding for routing + firewall = { + enable = true; + interfaces = { + # WAN interface - allow nothing inbound by default + vlan10 = { + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; + }; + vlan20 = { + allowedTCPPorts = [ + 53 + 67 + 68 + 80 + 443 + ]; + allowedUDPPorts = [ + 53 + 67 + 68 + 546 + 547 + ]; + }; + }; }; # NAT configuration nat = { enable = true; externalInterface = "vlan10"; # WAN - internalInterfaces = [ - "vlan20" - "vlan1" - ]; # LAN + internalInterfaces = [ "vlan20" ]; # LAN enableIPv6 = lib.mkIf config.networking.enableIPv6 true; # Enable IPv6 NAT }; - # Enable IP forwarding for routing - firewall = { - enable = true; - allowPing = true; # For ddiagnostics - - trustedInterfaces = [ - "vlan20" # Allow all on LAN - "vlan1" # Allow all on management - ]; - - # Block vlan to vlan communication - filterForward = true; - extraForwardRules = '' - ip saddr 10.12.14.0/24 ip daddr 192.168.0.0/24 drop - ''; - # extraCommands = '' - # # Block LAN (vlan20) from accessing Management (vlan1) - # nft add rule inet nixos-fw forward ip saddr 10.12.14.0/24 ip daddr 192.168.0.0/24 drop - # ''; - - interfaces = { - # WAN interface - allow nothing inbound by default - vlan10 = { - # Block all WAN - allowedTCPPorts = [ ]; - allowedUDPPorts = [ ]; - }; - - # # LAN interface (VLAN 20) - FULL SERVICE - # vlan20 = { - # allowedTCPPorts = [ - # 22 # SSH (if you want to SSH to your router from LAN devices) - # 53 # DNS queries - # 80 # HTTP (for local web services) - # 443 # HTTPS (for local web services) - # # Add other services you run locally (Plex, Home Assistant, etc.) - # ]; - # allowedUDPPorts = [ - # 53 # DNS queries - # 67 # DHCP server (dnsmasq) - # 68 # DHCP client responses - # # 123 # NTP (if you run a time server) - # ]; - # }; - # - # # Management interface (VLAN 1) - LIMITED SERVICE - # vlan1 = { - # allowedTCPPorts = [ - # 22 # SSH (for remote admin access) - # 53 # DNS - # 80 # HTTP (to access switch web interface through the router) - # 443 - # # HTTPS - # ]; - # allowedUDPPorts = [ - # 53 # DNS - # 67 # DHCP server - # 68 - # # DHCP client - # ]; - # }; - }; - }; - # example of port forwarding # nat.forwardPorts = [ # { @@ -162,34 +111,30 @@ alwaysKeepRunning = true; settings = { # Listen only on LAN interface - interface = [ - "vlan20" - "vlan1" - ]; + interface = "vlan20"; bind-interfaces = true; # DHCP range and settings dhcp-range = [ - "10.12.14.100,10.12.14.200,1h" # LAN devices - "192.168.0.10,192.168.0.50,1h" # Management devices + "10.12.14.100,10.12.14.200,24h" ] ++ lib.optionals config.networking.enableIPv6 [ # IPv6 DHCP range "fd12:14::100,fd12:14::200,64,24h" ]; - # dhcp-option = [ - # "option:router,10.12.14.1" - # "option:dns-server,10.12.14.1,1.1.1.1,8.8.8.8" - # ]; + dhcp-option = [ + "option:router,10.12.14.1" + "option:dns-server,1.1.1.1,8.8.8.8" + # "option:dns-server10.12.14.??" # Point to AdGuard, + ]; # Static DHCP reservations dhcp-host = [ - "00:BE:43:B9:F4:E0,H001,10.12.14.10" - # TODO add H002 for .11 - "C8:C9:A3:2B:7B:19,PRUSA-MK4,10.12.14.21" - "24:E8:53:73:A3:C6,LGWEBOSTV,10.12.14.30" - "2C:CF:67:6A:45:47,HOMEASSISTANT,10.12.14.22" - "2A:D0:EC:FA:B9:7E,PIXEL-6,10.12.14.31" + "00:BE:43:B9:F4:E0,H001,10.12.14.2" + "C8:C9:A3:2B:7B:19,PRUSA-MK4,10.12.14.108" + "24:E8:53:73:A3:C6,LGWEBOSTV,10.12.14.128" + "2C:CF:67:6A:45:47,HOMEASSISTANT,10.12.14.106" + "2A:D0:EC:FA:B9:7E,PIXEL-6,10.12.14.115" ]; enable-ra = lib.mkIf config.networking.enableIPv6 true; @@ -200,8 +145,8 @@ # TODO ad guard "1.1.1.1" "8.8.8.8" - "2606:4700:4700::1111" # Cloudflare IPv6 - "2001:4860:4860::8888" # Google IPv6 + "2606:4700:4700::1111" # Cloudflare IPv6 + "2001:4860:4860::8888" # Google IPv6 ]; }; };